[WEB SECURITY] secblog - secure blog project

Boberski, Michael [USA] boberski_michael at bah.com
Wed Apr 7 08:23:39 EDT 2010 

FYI, htmlpurifier has been integrated into ESAPI for PHP. It's of course one control of many, integrated to work hand-in-hand with other controls such as auditing and intrusion detection.

The ESAPI for PHP project will have a first more complete release that the currently-posted alpha, in the not too distant future.

Best,

Mike B.


-----Original Message-----
From: Stephen Cook [mailto:sclists at gmail.com] 
Sent: Tuesday, April 06, 2010 10:53 PM
To: Jim Manico
Cc: websecurity at webappsec.org
Subject: Re: [WEB SECURITY] secblog - secure blog project

HTMLPurifier does something similar for PHP.

http://htmlpurifier.org/




Jim Manico wrote:
> The hardest part of securing a blogging service is how are you going to 
> allow users to submit HTML for other users consumption? You need to 
> validate that user driven HTML in a pretty prolific way, or you end up 
> being a malware farm (or worse) like blogspot.
> 
> Enter OWASP AntiSamy. This project is the only HTML Validation policy 
> engine that I know of. I've been using it in production on quite a few 
> projects and it's just a little piece of HTML Validation heaven.
> 
> More here:
> http://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project#What_is_it.3F 
> 
> 
> - Jim
>> Trying to come up with secure blog software.
>>
>> Just getting started... we'd like your opinions at this
>> preliminary research & info gathering stage, but especially
>> as we try to come up with a new design.
>>
>> http://secblog.bitrot.info/
>>   
> 
> 
> ---------------------------------------------------------------------------- 
> 
> Join us on IRC: irc.freenode.net #webappsec
> 
> Have a question? Search The Web Security Mailing List Archives: 
> http://www.webappsec.org/lists/websecurity/archive/
> 
> Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> 
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> 
> 

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

More information about the websecurity mailing list