Filtering request parameters

General discussion on PHP
Post Reply
bleak
Posts: 21
Joined: Sun May 03, 2009 8:27 pm

Filtering request parameters

Post by bleak » Fri Oct 30, 2015 1:50 am

Example URI:

Code: Select all

http://example.com/en/user?id="><script>alert(document.cookie)</script>
I generally use HTMLPurifier for cleaning up input; however, in this case, it leaves behind the orphaned quote/angle bracket (albeit encoded as ">). This is obviously not ideal, so if there are any recommended solutions for this kind of problem (or if HTMLPurifier can be configured to catch and remove orphans). I've thought about creating an additional filter using regex, but that comes with its own problems.

Post Reply