Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
We had htmlpurifier integrated into our LAMP based product earlier, but it was a bit slow. Recently, we have turned on mod_security. Both of these are part of the OWASP project (owasp used htmlpurifer internally last I checked) so I am thinking the security is redundant.
What would you suggest? Is turning off htmpurifier a viable option? Thanks for any answers.
They both do different things.
mod_securityis a blacklist. It covers some generic exploits (among them XSS, SQL injection, directory traversals, url injection, and others) and past application bugs, but is likely easier to foil with more elaborate encodings and application-specific ways to circumvent the filters. (It often just probes for some URL parameters.)HTMLPurifierreally only coveres HTML sanitization, but that it does quite well. It’s a whitelist filter, so by definition more secure. It’s of course slow. Which is why you should only apply it to incoming data, not as generic filter for everything and everywhere. If it slows down your application you are potentially using it in the wrong spots.