Prevent XSS with strip_tags()?

by

I strongly disagree it’s “academically better”.

  • It breaks user input (imagine how useless StackOverflow would be for this discussion if they “cleaned” posts from all tags).

  • Text inserted in HTML with only tags stripped will be invalid. HTML requires & to be escaped as well.

  • It’s not even safe in HTML! strip_tags() is not enough to protect values in attributes, e.g., <input value="$foo"> might be exploited with $foo = " onfocus="evil() (no <,> needed!)

So the correct solution is to escape data according to requirements of language you’re generating. When you have plain text and you’re generating HTML, you should convert text to HTML with htmlspecialchars() or such. When you’re generating e-mail, you should convert text to quoted-printable format, and so on.

More Related Contents:

  1. How to prevent injection when user is supplying an arbitrary URL parameter?
  2. xss attack on a php page
  3. How can I sanitize user input with PHP?
  4. How to prevent XSS with HTML/PHP?
  5. What are the best practices for avoiding xss attacks in a PHP site [closed]
  6. The ultimate clean/secure function
  7. Do htmlspecialchars and mysql_real_escape_string keep my PHP code safe from injection?
  8. PHP_SELF and XSS
  9. Best way to defend against mysql injection and cross site scripting
  10. How can I properly escape HTML form input default values in PHP?
  11. CodeIgniter – why use xss_clean
  12. How do you set up use HttpOnly cookies in PHP
  13. XSS filtering function in PHP
  14. htmlspecialchars vs htmlentities when concerned with XSS
  15. Protection against XSS exploits?
  16. Extracting data from Json in Php
  17. regular expression [closed]
  18. How to log IP address in text file
  19. PHP cURL not working – WAMP on Windows 7 64 bit
  20. MySQL – count total number of rows in php
  21. Generating random numbers without repeats
  22. PHP : send mail in localhost
  23. PHP function to delete all between certain character(s) in string
  24. double results in my array ( mysql_fetch_array )
  25. How to decode a JSON String
  26. Dynamic PayPal button generation – isn’t it very insecure?
  27. Transpose and flatten two-dimensional indexed array where rows may not be of equal length
  28. Connect to remote MySQL server with SSL from PHP
  29. PHP DOM get nodevalue html? (without stripping tags)
  30. PHP Get Content of HTTP 400 Response

Leave a Comment