How to filter out Dangerous HTML like SO?

Question

How to filter out Dangerous HTML like SO?

I want to provide an HTML editor on my site, but I do not want to open myself up to xss or other attacks that come with custom HTML.

This is very similar to what Stack Overflow does. How HTML is checked / cleared here, so that styling information remains, while other, more dangerous things (such as javascript, iframe, etc.) are not used?

Are there any libraries (preferably in PHP) that already do this?

+4

html php sanitization html-sanitizing

Dexter Mar 24 '12 at 16:13

source share

4 answers

Whymarrh · Answer 1 · 2012-03-24T16:16:59+0000

PHP has a strip_tags function that removes HTML and PHP tags from a string and allows you to specify specific valid tags. But, as @webarto , there are libraries that make this better.

From the PHP manual .

Jordan schnur · Answer 2 · 2013-03-14T02:31:57+0000

you can use

 strip_tags($yourData,"<a><p><div><i>") // more tags you want to keep;

If your SQL usage also uses

 mysql_real_escape_string($data);

This is really all you do not need to enter. Keep in mind that when using real mySQL rescue, you need to use strip slashes to remove them when you echo them.

Here are the docs for strip tags and docs for mysql escape .

technosis · Answer 3 · 2013-03-22T20:17:00+0000

If you want to allow some (X) HTML and restrict only those tags that are considered unsafe, you can use something like KSES. Wordpress uses such a solution.

http://sourceforge.net/projects/kses/

liljoshu · Answer 4 · 2013-03-13T16:18:21+0000

In addition to Whymarrh's publication, it is recommended that you use the code in a subfolder of your site and automatically change any code that has ".." or "http: //" or any mysql commands.

How to filter out Dangerous HTML like SO?

More articles: