About the Author

Hi, I'm Chris, a web developer and a founding member of Analog. I live and work in Brooklyn, NY.

All Posts for Jun 2007

Skip This Section and Jump to the Main Content

2003
2004
2005
2006
2007
2008
2009
2010

'03:: All; Aug; Sep; Oct; Nov; Dec

'04:: All; Jan; Feb; Mar; Apr; May; Jun; Jul; Aug; Sep; Oct; Nov; Dec

'05:: All; Jan; Feb; Mar; Apr; May; Jun; Jul; Aug; Sep; Oct; Nov; Dec

'06:: All; Jan; Feb; Mar; Apr; May; Jun; Jul; Aug; Sep; Oct; Nov; Dec

'07:: All; Jan; Feb; Mar; Apr; May; Jun; Jul; Aug; Sep; Oct; Nov; Dec

'08:: All; Jan; Feb; Mar; Apr; May; Jun; Jul; Aug; Sep; Oct; Nov; Dec

'09:: All; Jan; Feb; Mar; Apr; May; Jun; Jul; Aug; Sep; Oct; Nov; Dec

'10:: All; Jan; Feb; Mar; Apr; May; Jun; Jul; Aug

Planet Web Security

Thu, 28 Jun 2007 22:37:15 GMT
4 Comments
References
Link

If you want to keep up with the latest in web application security, you might want to add Planet Web Security to your reading list. In his announcement, Christian Matthies offers this brief description:

I am pleased to announce the launch of Planet Web Security, founded with the intention to bring together similarly themed news and rants related to web security and to display them in one place.

It's still in its infancy, so I'm sure it will only get better as more relevant blogs are added. Comparing it to my own planet (not specific to web application security), I can already identify a few blogs that should probably be added:

Congrats on getting this launched, Christian!

HTML Purifier

Thu, 28 Jun 2007 05:26:29 GMT
4 Comments
References
Link

I've been focusing on work and neglecting my blog lately, but I want to take a moment to highlight HTML Purifier, a tool developed by Edward Yang. Edward contacted me a few days ago to let me know that he has just released version 2.0, and because this post is tardy, version 2.0.1 is already available.

What is HTML Purifier? In Edward's own words:

HTML Purifier is a standards-compliant HTML filter library written in PHP. HTML Purifier will not only remove all malicious code (better known as XSS) with a thoroughly audited, secure yet permissive whitelist, it will also make sure your documents are standards compliant, something only achievable with a comprehensive knowledge of W3C's specifications.

I feel comfortable recommending HTML Purifier based on its solid theory of operation as well as its ability to safely handle the XSS Cheat Sheet in its entirety. (Try for yourself.)

HTML Purifier enforces standards, and Edward has explained why this approach is valuable:

I've previously proposed that by insisting standards compliance, you protect yourself against browser quirks. While there wasn't that much discussion on it, I think that it is very possible to do HTML safely.

This is where HTML Purifier really shines. (There are additional reasons to choose it.) Because standards-compliant markup has a limited amount of wiggle room for crafting tricky XSS exploits, enforcing standards can tame a practically unmanageable problem.

I'll probably be talking about HTML Purifier more in the future. In the meantime, perhaps you'd like to try to break it. :-)

Upcoming Events

Brooklyn Beta

21 - 22 Oct 2010

At The Invisible Dog, Brooklyn, New York.

New Comments

Mario Arroyo wrote:: The article is really very good and the users comments and external links to another articles jus...; Posted in
Raphael Almeida wrote:: I realy like hiphop music, but this is very crazy! We'll use it in user group PHP conference at ...; Posted in PHP Anthem
Mal wrote:: Having used smarty for many years, this has never been a problem for me, but after building a web...; Posted in PHP Stripping Newlines
Satya wrote:: Thanks for the info. I have posted the news here on my page: http://www.facebook.com/pages/Web-Sc...; Posted in PHP Anthem
John wrote:: Oh, you need to press "save your password".; Posted in Mozilla Account Manager