Only twenty-two

I was only twenty-two, remember; not that I was so stuck on myself that I didn’t want to know just where I was at fault, but at that age nobody knows much of anything.

Edwin Lefevre, “Reminscences of a Stock Operator”

Fair enough.

Why you should be using a proper HTML sanitization library

The idea that it’s easy to protect your web app from XSS seems to be floating around the interwebz. I’ve seen a whole bunch of “tutorials” saying stuff like “just use htmlencode()” etc.

If you’re building web applications, even small ones, do yourself a favor and use a proper html sanitization library. I hear good things about HTMLPurifier (PHP) and Sanitize (Ruby); there probably is a library for most other languages as well. I don’t dare to recommend anything specific so you’ll need to do some research, but it will be time well spent. And if you’re using a framework or CMS, use the sanitization functions they provide.

Continue reading