1

For Cross-site_scripting vulnerabilities

1)is it a good idea to validate and escape each and every one of the user inputs

2)is using strip_tags good enough and what's the benefit of htmlpurifier over it?

ivan
  • 15
  • 6
  • 1
    1. HELL yes. 2. Always use server sided validation (`mysqli_real_escape_string()` and other such methods) (js validation is fine, it can just be circumvented) – Sterling Archer Sep 01 '13 at 02:23

1 Answers1

0

Yes this is a good idea. I would go as far as to say if you don't your are an idiot. When storing the data in a database use prepared statements and bound parameters. If you use that (like you should) you don't have to manually escape the data going into the database.

Now for displaying the data it depends what you want to allow and where you are going to output it. If it will be displayed on a HTML page and you don't want to allow any HTML to be rendered use htmlspecialchars($content, ENT_QUOTES). You almost never have to use htmlentities because that will convert ALL characters for which there is an HTML entity. Meaning it will make your document unnecessary bigger. If you want to allow some HTML you would have to filter it before displaying it (using HTML purifier).

Please note that different storage mechanisms and different output media require a different escaping / sanitizing strategy.

Community
  • 1
  • 1
PeeHaa
  • 71,436
  • 58
  • 190
  • 262
  • +1, in what situation would a different storage require a different escaping strategy? I imagine if you're using a database, no escaping should be required. – Dave Chen Sep 01 '13 at 02:42
  • 1
    If you for example are going to send an email instead of storing in the database you have to be wary for header injection. – PeeHaa Sep 01 '13 at 02:44