I am using the htmlififier library to clean my incoming parameters. But it is not filtering empty bytes (for example,% 00). Am I missing something or the library does not support it? Do I have to use a pre-venture? Thanks for any answers.
Edit:
I am using htmlpurifier with the config option
$ config = HTMLPurifier_Config: : CreateDefault (); $ Config- & gt; Set ('core', 'encoding', 'utf-8'); $ Config- & gt; Set ('cache', 'serializerpath', "/ webdirs / htmlpurify"); for test string
'; & Lt; / Script & gt; & Lt;% 00Scripts & gt; Alert (845122) & lt; / Script & gt; I get the output
'; & Lt;% 00Scripts & gt; As shown in the Alert (845122)
$ This-> Confirmation of emphasis ("zero byte", "tap byte");
and
$ this-> AssertCleanUTF8 ("empty byte: \ 0", 'null byte:');
Maybe you should post some code?
EDIT: Your edit is a bit misleading; The actual output code is:
'; Amp; Lt;% 00Script & amp; Gt; Alert (845122)
The only plain text string and completely secure
If you want to insert a string in the URL, use urlencode () .
Comments
Post a Comment