Re: [tlug] Do you whitelist or blacklist utf-8?

["Nikolay Elenkov" <nick@example.com>]

2011年 2月 24日（木）3:50 am に Shmuel Fomberg さんは書きました：

>>> but first you need to tell us something about your data. is the user
>>> allowed to enter HTML tags?
>> Nope. I want to be real strict. They get:
>> No punctuation at all.
>> Only spaces, no other white space (tabs, line feed characters, or
>> anything else).
>> They can have 0-9a-zA-Z, and anything above the ASCII range (taking into
>> account what you wrote above).
> Then you are pretty safe from XSS.
> All these attacks are basically injecting unwanted html tags to your site.
> if you don't allow any pun, then no tags can be injected.
>

Filtering input is one thing, but if you really want to avoid XSS, you
need to HTML escape anything that could've come from outside when
*displaying* it. Most modern environment do that for you by default (or
there is an 'htmlEscape' switch you can flip), but check just in case.

BTW, unnecessary filtering/restrictions and replacing of characters can be
*really* annoying. I curse every time I have to fill a form that tells me
to enter my name in full-width *kanji*, then my phone number in half-width
romaji, then my address in..., etc. The more obnoxious ones limit the
length of the  name field to 8 chars, or so... Even more annoying when you
try to format something, and you find out they stripped all of your
spaces.
Just something to consider when trying to make you input checks air-tight.

And, yeah, for better security, don't use PHP :)