StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

PO
text
Body
copied!<p><code>safe2()</code> is clearly <a href="http://php.net/htmlspecialchars" rel="nofollow"><code>htmlspecialchars()</code></a></p> <p>In place of <code>safe1()</code> you should really be using <a href="http://www.google.com/search?q=HTMLPurifier" rel="nofollow"><code>HTMLPurifier</code></a> to sanitize complete blobs of HTML. It strips unwanted attributes, tags and in particular anything javascriptish. Yes, it's slow, but it covers all the small edge cases (even for older IE versions) which allow for safe HTML user snippet reuse. But check out <a href="http://htmlpurifier.org/comparison" rel="nofollow">http://htmlpurifier.org/comparison</a> for alternatives. -- If you really only want to display raw user text there (no filtered html), then <a href="http://php.net/strip_tags" rel="nofollow"><code>htmlspecialchars(strip_tags($src))</code></a> would actually work fine.</p> <p><code>safe3()</code> screams regular expression. Here you can really only apply a <strong>whitelist</strong> to whatever you actually want:</p> <pre><code>var a = "<?php echo preg_replace('/[^-\w\d .,]/', "", $xss)?>"; </code></pre> <p>You can of course use <code>json_encode</code> here to get a perfectly valid JS syntax and variable. But then you've just delayed the exploitability of that string into your JS code, where you then have to babysit it.</p> <hr> <blockquote> <p>Is it also safe in all browsers (specifically IE6)?</p> </blockquote> <p>If you specify the charset explicitly, then IE won't do its awful content detection magic, so UTF7 exploits can be ignored.</p>

Querying!

Guidance

An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload