Is this really this simple? html purifier

[fortnox007]

Hi all, someone gave me a tip to use html purifier instead of inventing fire all over again. So i thought i try out the library and it seems to work. But it worked so easy that i thought this can't be true. So since i am very inexperienced with it I would love to hear your tips and advice. If i have time and feel confident enough ill try to write a tutorial (with pictures so it can save new people time searching and prevent sneaky people inserting crap in our hard work.

 

This is what i did: i downloaded the package and only kept the library. (since the manual says you only need that). So i just put it in a web folder next to my index.php

 

Here is thescript I used:

require_once '/library/HTMLPurifier.auto.php';

            $purifier = new HTMLPurifier(); // i suppose this creates an instance of a class?? (i really suck in OOphp)
            $dirty_html = '<a href="javascript:alert(\'XSS\')";>hahahaha all your base are belong to us</a>';
            $clean_html = $purifier->purify($dirty_html);

echo 'some dirty  crap here: '.$dirty_html.'<br />';
echo 'nice and clean: '.$clean_html;

 

Any tips, advice, performance stuff, do's and do not's,  anything is welcome.  For instance i am not sure if its good to have it in a webfolder.

 

Thanks guys!

[PFMaBiSmAd]

Yes, that's how you would use a method of a class.

 

If the code is completely secure, would require seeing the code in the class. I have seen login code, email form validation code, ... that claims to be the ultimate 'secure' code and someone went to a lot of work to produce a lot of lines of code in it, but the code contains either intentional or accidental holes in it (makes me think that some of the free code that obviously took a lot of effort to write was actually written and posted by hackers.)

[fortnox007]

Thanks for your swift reply PFMaBiSmAd,

Just in case it was not clear for anyone i was mentioning this library: http://htmlpurifier.org/

And indeed you're right that the creators could indeed made backdoors. That's why I rather learn how to strip the text myself instead of just dumb installing, but the original thread I posted  on how to make safe bbcode myself ended up being dead and I found it rude to bump it again.

[lastkarrde]

And indeed you're right that the creators could indeed made backdoors. That's why I rather learn how to strip the text myself instead of just dumb installing

 

I highly doubt the creators made a back door. It is open source code and is used/trusted by many PHP frameworks such as Kohana. The risk that you miss cleaning/filtering something in your own code far outweighs the risk/possibility that HTMLPurifier has a backdoor.

[fortnox007]

Thanks lastkarrde,

 

I think you are right and it would be pretty weird to doubt the integrity of such a library which is highly adopted by so many cms-frameworks. But yeah anything is possible. And it is certainly is wise to respect the number 1security rule 'trust  no one'. Assuming this library is made by talented people which are not evil,  I would like to continue this thread with tips and tricks of users that have more experience with it than I have. In the end it would be nice to bundle it in a bite size tutorial useful document for all the phpfreaks members. Since security is something we all have to deal with and this library seems to be pretty usefull.