If you have ever used bbcode or any other non-html markup language in an attempt to avoid having to filter user-submitted HTML, those days are over. HTML Purifier is a standards-compliant html filter. This means that not only does it protect your website from security risks such as cross-site scripting attacks, but it also produces completely valid (x)html. It is also character-encoding aware. With this release, the author, Edward Z. Yang has decided to GoPHP5, so don’t expect to see this version released for PHP4 (The 2.1.x branch will be maintained until PHP 4 is completely deprecated, but no new features will be added to it.).

This release a number of improvements in CSS handling, including the filter HTMLPurifier_Filter_ExtractStyleBlocks which integrates HTML Purifier with CSSTidy for cleaning style sheets (see the source code file for more information on usage), contains experimental support for proprietary CSS properties with %CSS.Proprietary, case-insensitive CSS properties, and more lenient hexadecimal color codes. Also, all code has been upgraded to full PHP 5 and is E_STRICT clean for all versions of PHP 5 (including the 5.0 series, which previously had parse-time errors).

For more details about the release, check out HTML Purifier’s website.

I spend a good deal of time reading about PHP security over at the PHP Developer’s Network forums. In one of the many discussions I have had over there, I recall one in particular that really opened my eyes to how easy it can be to overlook a very serious security issue. As you may know, there is a predefined array of server-related variables in PHP, aptly named $_SERVER. For years I used a certain element “PHP_SELF” within this array in instances where I needed to output what page I was currently working within. One of the most common of such instances is when you need to tell a form to post back to itself (a very common practice in PHP).
(more…)

HTML Purifier is a standards-compliant HTML filter library written in PHP. HTML Purifier will not only remove all malicious code (better known as XSS) with a thoroughly audited, secure yet permissive whitelist, it will also make sure your documents are standards compliant, something only achievable with a comprehensive knowledge of W3C’s specifications.

HTML Purifier allows for developers to accept HTML and output it on their web sites without the worry of cross-site scripting attacks. Not only that, but it also outputs standards compliant xhtml. This is a major innovation, considering it will allow developers to create wysiwig editors for their clients and still have websites that validate.

More to come on this soon, but for now, check out the html purifier website and the demo page. Also if you like this library and would like to help promote it, you can vote for it at DZone, Reddit, Digg and/or del.icio.us. You may also sport this sexy HTML Purifier icon on your website!

<a href="http://htmlpurifier.org/"><img
src="http://htmlpurifier.org/live/art/powered.png"
alt="Powered by HTML Purifier" border="0" /></a>

As I’ve grown familiar with Miva Merchant, I’ve become very wary of Miva SMT entities. SMT entities are basically to Miva Merchant what variables are to any other language. If you have developed anything in PHP, you are likely aware of the security implications of having register_globals turned on. In Miva Merchant, the same sort of implications exist because Miva Merchant converts all CGI environment variables into SMT entities (variables) upon startup.
(more…)

I think we all know that security on the internet, as well as anywhere else, is a big deal. As a web developer, it is your job to protect your users’ data from identity thieves and ill-intentioned e-villains. One thing you’d be wise to remember though, is that generally a user’s biggest enemy is himself. It is all too easy to forget that not everybody takes security as seriously as you do. Most people won’t even consider security until it bites them in the arse, and when it does, guess who they’re going to blame.

(more…)