Is having both mod_security and htmlpurifier an overkill?
https://stackoverflow.com/questions/5988490
-
12-11-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
We had htmlpurifier integrated into our LAMP based product earlier, but it was a bit slow. Recently, we have turned on mod_security. Both of these are part of the OWASP project (owasp used htmlpurifer internally last I checked) so I am thinking the security is redundant.
What would you suggest? Is turning off htmpurifier a viable option? Thanks for any answers.
Solution
They both do different things. mod_security is a blacklist. It covers some generic exploits (among them XSS, SQL injection, directory traversals, url injection, and others) and past application bugs, but is likely easier to foil with more elaborate encodings and application-specific ways to circumvent the filters. (It often just probes for some URL parameters.)
HTMLPurifier really only coveres HTML sanitization, but that it does quite well. It's a whitelist filter, so by definition more secure. It's of course slow. Which is why you should only apply it to incoming data, not as generic filter for everything and everywhere. If it slows down your application you are potentially using it in the wrong spots.
