I also find HTML Purifier to be too big.

To get around any security issues what I do is to encode the POSTed data (coming from TEXTAREAs) with base64 and leave it to a human to clean up any mess etc.

Not a perfect solution (you can’t sort or search data) by any means but it ain’t going to 1) break your box and 2) piss off your host.

I don’t have any confidence in the PHP filters for this job and I’m not really sure I want to start experimenting with my own filter for such a crucial job when a tried and tested script is already out there.

Every time you invoke the PHP parser, APC will stat() the files included (and the files included by that script and so on) to see if they’ve changed. Chances are good that they haven’t, but APC still has to check (unless you disable that functionality as I’ve described here: http://www.brandonsavage.net/to-stat-or-not-to-stat/)

Additionally, as APC fills up, it will dump files off the memory to ensure it doesn’t overrun its limit. This might mean that some files get cached, then dumped, then cached again, etc.

You might be able to solve this by writing an autoload function (see http://us3.php.net/manual/en/function.spl-autoload-register.php and http://www.brandonsavage.net/making-life-better-with-the-spl-autoloader/) but as soon as you hit the HTML Purifier script it will include what it’s been written to include unless you strip out the includes, which would make upgrading difficult.

I think a lot of the time you don’t need the functionality of something as robust as HTML Purifier, and leaving it out is better than including it and then trying to manage the performance and/or access questions that arise. You only need it in select circumstances (namely, when saving input to the database or getting it from the database) so you might be better off using the Lite version, rolling your own, using the filtering functions, or including it ONLY when ABSOLUTELY necessary.

However, I would like to hear suggestions of other libraries that I could use, should I find out HTMLPurifier takes up too many resources.

Thanks,

Mikael

but jokes aside, the only thing that worries me about such innovations (they should be in php for ages) is that it always makes me wonder. How actually good are these functions?

I love to use open source as i save time but sometimes i just dont know what is in there.

With email there are all those different encodings of domain names and special chars in non-english languages. Its not that simple any more. Will they be accepted or not? How well unit tested is it? (and i dont mean coverage which does not mean anything in this case!). Why did they not add any information (doc says: ‘Validates value as e-mail.’)

Finally, what if im not happy with it any more? What if there is bug or just filter is crap? Your approach does not isolate your code. So what i would do is add my own wrapper. If i change my mind i will just replace implementation not ripping entire site again.

In addition i would add a few simple unit tests to make sure i know what to expect and i can easily replace implementation without major risk or waste of time.

With PHP libs its a bit different story. I can easily lookup whats under the hood thats why i like zend framework so much :-) but reading PHP extensions code is usually much more frustrating. But i sill would wrap whenever possible.

To summarize …. yes its super cool they added it and that people can use it but its totally not cool you dont know what you get ;-)

art

I would stay away from HTML Purifier; not because it’s badly developed but as stated, it’s not exactly compact and from my own experience there are perforamce concerns.

I did suggest to the developers that they break it down into more modular, manageable components a while back, giving the end user greater control and flexibility over the level of purification they do.

Also, it’s way over the top for the most applications; I beg to differ that there are [now] better options available.

Agreed that they should have been added sooner, but personally, I look forward to stripping out some of my (potentially incorrect) code in favor of this. The speed is there but then it’s one more thing that I don’t have to worry about and I can spend my time on other things.

Les, no need to gut your existing script. This is just one option out of many for securing your application. I agree, the filters should have been included sooner.