View Source

<ac:macro ac:name="unmigrated-inline-wiki-markup"><ac:plain-text-body><![CDATA[{zone-template-instance:ZFPROP:Proposal Zone Template}

{zone-data:component-name}
Zend_Filter_Html & Zend_Validate_Html
{zone-data}

{zone-data:proposer-list}
[~thomas]
{zone-data}

{zone-data:liaison}
TBD
{zone-data}

{zone-data:revision}
1.0 - 6 December 2009: Initial Draft.
{zone-data}

{zone-data:overview}
Zend_Filter_Html is a component which filters a given input to be HTML conform.
Zend_Validate_Html is it's cousine which validates if a given input is HTML conform.
{zone-data}

{zone-data:references}
* [Tidy|http://php.net/tidy]
* [HTMLPurifier|http://www.htmlpurifier.org/]

* See here for problems of actual ZF usage: [Blog Post|http://blog.astrumfutura.com/archives/425-Zend_Filter_StripTags-Friend,-Foe,-or-Security-Nightmare.html]
{zone-data}

{zone-data:requirements}
Zend_Filter_Html:
* This component *will* convert any input to conform HTML
* This component *will* prevent XSS attacks
* This component *will* produce 100% valid HTML output
* This component *will* use adapters to allow foreign libraries to be used

Zend_Validate_Html:
* This component *will* validate if input is 100% valid HTML
* This compontnt *will* use adapters to allow foreign libraries to be used
{zone-data}

{zone-data:dependencies}
* Zend_Filter
* Zend_Validator
{zone-data}

{zone-data:operation}
Actually Zend Framework does not have a component which really prevents XSS attacks.

Zend_Filter_Html filters given input, so it conforms the HTML standard. It prevents XSS attacks. Therefor it makes usage of Tidy to get a standard conform HTML output, and it uses HTMLPurifier to prevent any attacks.

Zend_Validate_Html validates is a given input conforms the HTML standard.
{zone-data}

{zone-data:milestones}
* Milestone 1: \[DONE\] Proposal finished
* Milestone 2: Proposal accepted
* Milestone 3: Working implementation
* Milestone 4: Unit tests
* Milestone 5: Documentation
* Milestone 6: Moved to core
{zone-data}

{zone-data:class-list}
* Zend_Filter_Html
* Zend_Filter_Html_HtmlAbstract
* Zend_Filter_Html_Tidy
* Zend_Filter_Html_HtmlPurifier
* Zend_Validate_Html
* Zend_Validate_Html_HtmlAbstract
* Zend_Validate_Html_Tidy
{zone-data}

{zone-data:use-cases}
||UC-01||
Filtering XSS attacks:
{code}
$input = '<a href="data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5kb21haW4pPC9zY3JpcHQ%2B">Click Me And Win IPOD!!!!</a>';
$filter = new Zend_Filter_Html();
$filter->filter($input);

// This XSS attack would be prevented as the link is filtered
{code}
||UC-02||
Validating HTML:
{code}
$input = '<p>test</i>';
$validate = new Zend_Validate_Html();
$validate->isValid($input);

// Returns false as the input is not valid HTML
{code}
{zone-data}

{zone-data:skeletons}
{code}
class Zend_Filter_Html {
public function filter($value);
// allows to use multiple adapters with the same filter in a defined order
}

class Zend_Filter_Html_HtmlAbstract {
public function setOptions($options);
public function getOptions();
}

class Zend_Filter_Html_Tidy {
public function filter($value);
}

class Zend_Validate_Html {
public function isValid($value);
// allows to use multiple adapters with the same validator in a defined order
}

class Zend_Validate_Html_HtmlAbstract {
public function setOptions($options);
public function getOptions();
}

class Zend_Filter_Html_Tidy {
public function isValid($value);
}
{code}
{zone-data}

{zone-template-instance}]]></ac:plain-text-body></ac:macro>