All geek questions in one place

Summernote Safety

I want to use the Summernote WYSIWYG editor on my website, which I do with Laravel 5.2, however, here is one problem: when I submit my form, I get all my code in HTML. Because of this, I cannot escape my HTML, because the whole style will not work, but if I do not run off the HTML, my site will be vulnerable to XSS. What should I do?

Thank you for your help.

+5
source share
2 answers

I am very sorry because the solution that solved my problem was late, but I saw that 4 people were interested in this issue, so I decided to publish it.

Even if at first I didn’t notice, later I found out that it is best to use the HTML cleaner for Laravel 5 in this situation (for an example of this) , because it clears all insecure html, so the result should be safe, even if the user can send messages with using html. This makes tipping pretty safe to use. I don't know if htmlpurifier still has security issues, but all my tests were filtered out as needed, so I think it should be safe enough.

Hope this helps someone. Sorry again, I forgot about this issue after I found a solution ...

0
source

Have you tried using

HTML::decode($someString)
0
source

Source: https://habr.com/ru/post/1261938/

More articles:


All Articles