@O’Malley
you said:
@bex you just screwed anyone who sits behind a proxy server.
um… no.
A proxy means multiple usernames sharing one IP. That’s totally fine. Its no different than me running two browsers, and logged in as two users. My example blocks multiple IPs sharing one username. Totally different. And as @Clifton says, IP spoofing over TCP is pretty hard… especially if you rotate the session ID.
Back to the issue of sanitizing, I again agree with @Clifton. You don’t sanitize input: you FRIGGING REJECT it!
In other words, escape ALL angle brackets, unless the its from a string that EXACTLY MATCHES safe HTML, like:
b/b
i/i
ul/ul
ol/ol
li/li
pre/pre
code/code
Don’t allow ANYTHING fancy in between the angle brackets. No attributes. No styles. No quotes. No spaces. No parenthesis. Yes, its strict, but who cares?
Being helpful is a security hole.