Flourish PHP Unframework
This is an archived copy of the forum for reference purposes

Security recommendations on comment form?

posted by audvare 8 years ago

Very simple form but with huge potential problems if done wrong as we all know. So once it's submitted, are there good things to use already within Flourish or should I go use a more robust solution like HTML Purifier? Or are there some other good ones? Of course I'd like to strip most HTML tags, so strip_tags() seems like an easy choice to stay light. Thoughts?

Thanks

Flourish escape all the data before store in the database. Also you can use a token to increase the security in the form ( fRequest::generateCSRFToken() and fCRUD::validateRequestToken() )

posted by jmtucu 8 years ago

Yes, I am using fRequest::get() and fRequest::generateCSRFToken() and validate as well. My main thing I'm wondering is the best way to filter unwanted tags. I already do something like this: 

  public static function getAlwaysAllowed() {
    return array(
      '<b>',
      '<blockquote>',
      '<br>',
      '<cite>',
      '<em>',
      '<i>',
      '<p>',
      '<q>',
      '<small>',
      '<strong>',
      '<sub>',
      '<sup>',
    );
  }
// Submission function
$allowed = Base_Comment::getAlwaysAllowed();
$comment->setText(strip_tags($this->post['text'], implode(' ', $allowed)));

Only one issue. I don't want any attributes preserved. So I need to regex them out I suppose.

posted by audvare 8 years ago

If you want to remove all html tags you can use an ereg_replace with &lt;*&gt; as pattern. That will remove everything enclose with <> or </>.

posted by jmtucu 8 years ago

If you want to allow some HTML, but not all, you should DEFINITELY use HTML Purifier. I use this when I need to handle cleaning HTML. See http://htmlpurifier.org/comparison for reasons why.

I would almost certainly be unwise to use regex to try and remove certain tags or attributes, because your pattern will most likely miss an edge case. You may be able to get away with only allowing things you know are valid, but that is still a very difficult task and would require a lot of initial and continued testing.

posted by wbond 8 years ago