FOSS and When the Internet Remembers

Funny thing about publishing free software, initially you want people to use it. But after they do, they may ask for free support or small problems in what you wrote eat at the back of your mind Could I be hurting someone more than helping?). How long should we support our FOSS projects & at what personal cost?

Around 2011 I published a collection of PHP XSS filters to a Github gist. The collection had started several years before that & evolved over time. At one point it secured a multi-national social advertising service Levi’s ran & was included in two minor CMS frameworks.

Five years later a security researcher found a pretty major flaw in the logic. I’m pretty happy it took five years to find that, but ouch it was a big security hole.

So … I’ve updated my xss_clean.php gist & contacted one project that still uses it. If you’re searching for an XSS filter, do me a favor & try HTML Purifier or the kses libraries. Currently & hopefully for a while longer, their creators continue to have enough time to keep them up-to-date.