[TYPO3-mvc] removeXSS view helper
Jeff Segars
jsegars at alumni.rice.edu
Wed Apr 29 16:32:52 CEST 2009
Hey Nathan,
There's a pretty comprehensive script at t3lib_div::removeXSS() already
so I figured the view helper would just wrap around that. It just calls
the script at typo3/contrib/RemoveXSS/RemoveXSS.php, which is a slightly
modified version of the script at
http://quickwired.com/smallprojects/php_xss_filter_function.php.
Thanks,
Jeff
Nathan Lenz wrote:
> I see that the removeXSS helper needs to be coded
> (http://forge.typo3.org/wiki/typo3v4-mvc/ToDo_Fluid)
>
> How thorough should this be?
>
> 1. Use the white list technique? If so, is it configurable and where?
>
> 2. What about white listing attributes? This is hard because of
> attributes like style="", something lots of people would want to white
> list, but it can cause problems.
>
> 3. Should it alter the HTML to be standards compliant? The majority of
> XSS removers rely on balancing tags and making standards compliant HTML.
> If malformed HTML should be allowed while removing all XSS it could be
> nearly impossible.
>
> 4. I think it should remove all known examples here:
> http://ha.ckers.org/xss.html
>
>
> There are lots of tools out there that do this sort of thing:
>
> http://sourceforge.net/projects/kses/
> http://htmlpurifier.org/
> http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/index.php
> (promising, because it's all in one function and well contained)
>
> More listed here: http://htmlpurifier.org/comparison.html
>
>
> If the HTML needs to be "purified" to truly remove XSS, then it might be
> better to name this helper something different to better communicate
> what is actually happening.
>
> Just thinking...
>
> --Nathan
More information about the TYPO3-project-typo3v4mvc
mailing list