sanitization

I'd like to enable users to leave rich text comments, possibly using markdown. I've installed the libraries used on Reddit, but am concerned about the javascript injection attack which occurred last year, especially since I'm still not clear on the details of how the attack was done. Should I still be concerned about comment security? Is there a test string I can put through my system to check for the same flaws that took down reddit? reddit uses the discount markdown library now. Wander Nauta Python-Markdown - the 'standard' one more or less - has a 'safe mode' feature that escapes html tags.

I am trying to put a general purpose function together that will sanitize input to a Mysql database. So far this is what I have: function sanitize($input){ if(get_magic_quotes_qpc($input)){ $input = trim($input); // get rid of white space left and right $input = htmlentities($input); // convert symbols to html entities return $input; } else { $input = htmlentities($input); // convert symbols to html entities $input = addslashes($input); // server doesn't add slashes, so we will add them to escape ',",\,NULL $input = mysql_real_escape_string($input); // escapes \x00, \n, \r, \, ', " and \x1a

I've been hunting around the net now for a few days trying to figure this out but getting conflicting answers. Is there a library, class or function for PHP that securely sanitizes/encodes a string against XSS? It needs to be updated regularly to counter new attacks. I have a few use cases: Use case 1) I have a plain text field, say for a First Name or Last Name User enters text into field and submits the form Before this is saved to the database I want to a) trim any whitespace off the front and end of the string, and b) strip all HTML tags from the input. It's a name text field, they shouldn

I'm looking for the best way to take a simple input: echo -n "Enter a string here: " read -e STRING and clean it up by removing non-alphanumeric characters, lower(case), and replacing spaces with underscores. Does order matter? Is tr the best / only way to go about this? As dj_segfault points out, the shell can do most of this for you. Looks like you'll have to fall back on something external for lower-casing the string, though. For this you have many options, like the perl one-liners above, etc., but I think tr is probably the simplest. # first, strip underscores CLEAN=${STRING//_/} # next,

When receiving user input on forms I want to detect whether fields like "username" or "address" does not contain markup that has a special meaning in XML (RSS feeds) or (X)HTML (when displayed). So which of these is the correct way to detect whether the input entered doesn't contain any special characters in HTML and XML context? if (mb_strpos($data, '<') === FALSE AND mb_strpos($data, '>') === FALSE) or if (htmlspecialchars($data, ENT_NOQUOTES, 'UTF-8') === $data) or if (preg_match("/[^\p{L}\-.']/u", $text)) // problem: also caches symbols Have I missed anything else,like byte sequences or

How can I detect (with regular expressions or heuristics) a web site link in a string of text such as a comment? The purpose is to prevent spam. HTML is stripped so I need to detect invitations to copy-and-paste. It should not be economical for a spammer to post links because most users could not successfully get to the page . I would like suggestions, references, or discussion on best-practices. Some objectives: The low-hanging fruit like well-formed URLs ( http://some-fqdn/some/valid/path.ext ) URLs but without the http:// prefix (i.e. a valid FQDN + valid HTTP path) Any other funny business

I'm wondering if anybody has used this class and found it to be reliable? http://www.phpclasses.org/package/3746-PHP-Remove-unsafe-tags-and-attributes-from-HTML-code.html Many thanks! i recommend http://htmlpurifier.org/ HTML Purifier for cleaning strings safely. I'm wondering if anybody has used this class and found it to be reliable? erm.... 1) phpclasses invites feedback from users - if there's no feedback there, why do you think you'd find it here? 2) its a fairly generic bit of code - the value is in how you apply it, you don't state what your objectives are nor what you've compared it

I want to create a website where users can test regular expressions (there are many out there already...such as this one: http://www.pagecolumn.com/tool/pregtest.htm ). Basically, the user provides a regular expression and some sample text, and the results of the regex evaluation will be spit back. I want to evaluate the regex on the server side with the PHP "preg_*" functions. Is there a way to sanitize the supplied regex? What are the security vulnerabilities that I should be concerned about? I think PHP itself will check the regex. Here's a sample script I made : // check for input, and set