PHP Prevent xss

Question

PHP Prevent xss

Is htmlentities best solution to prevent XSS in PHP? Also I would like to allow simple tags like b , i , a and img . What would be the best solution to implement this? I really looked at bbcode, but found that if not implemented correctly, I will have a problem with XSS too. What should I do? Any good third-party library is welcome.

EDIT:

I just tried the HTML cleaner, and in this case it didn’t work. Just look at this example.

+4

php xss

aWebDeveloper Feb 27 '11 at 7:35

source share

3 answers

look at custom markup languages like markdown (used by stackoverflow), reStructuredText , textile or similar lightweight markup languages

+2

knittl Feb 27 '11 at 10:29

source share

Try using this code (it allows you to use <i> , <b> and <del> ):

 <?php $html = '<b>Inline <del>context <div>No block allowed <great going </div></del></b>'; function escapeEveryOther(&$v, $k) { if($k % 2 == 0) { $v = htmlspecialchars($v); } } $parts = preg_split('`(</?(?:b|i|del)>)`is', $html, -1, PREG_SPLIT_DELIM_CAPTURE); array_walk($parts, 'escapeEveryOther'); $html = implode('', $parts);

and then pass $html via HTMLPurifier to fix inconsistent opening and closing tags.

+1

Kamil Szot Feb 27 '11 at 11:07

source share

Sarfraz · Accepted Answer · 2011-02-27T07:36:50+0000

To do this, I would go for the HTML Purifier , and yes, you can also specify your white tags.

HTML Cleaner is a standard compatible PHP filter library written in PHP. An HTML cleaner will not only remove all malicious code (better known as XSS) with carefully checked,
A safe but permissive whitelist , it also makes sure your documents standards are compatible, something only achievable with a comprehensive knowledge of the W3C specifications.

I know that there are certain functions in the PHP language for this, but I would prefer a dedicated solution.

PHP Prevent xss

More articles: