Is having both mod_security and htmlpurifier an overkill?

We had htmlpurifier integrated into our LAMP based product earlier, but it was a bit slow. Recently, we have turned on mod_security. Both of these are part of the OW开发者_JS百科ASP project (owasp used htmlpurifer internally last I checked) so I am thinking the security is redundant.

What would you suggest? Is turning off htmpurifier a viable option? Thanks for any answers.

They both do different things. mod_security is a blacklist. It covers some generic exploits (among them XSS, SQL injection, directory traversals, url injection, and others) and past application bugs, but is likely easier to foil with more elaborate encodings and application-specific ways to circumvent the filters. (It often just probes for some URL parameters.)

HTMLPurifier really only coveres HTML sanitization, but that it does quite well. It's a whitelist filter, so by definition more secure. It's of course slow. Which is why you should only apply it to incoming data, not as generic filter for everything and everywhere. If it slows down your application you are potentially using it in the wrong spots.