All geek questions in one place

Remove XSS attacks while maintaining html?

Ok, now I have a dilemma: I need to allow users to embed raw HTML code, and also block all JS tags, not just script tags, but from href, etc. for now all i know is

htmlspecialchars($string, ENT_QUOTES, 'UTF-8');

But it also converts valid tags to encoded characters. If I use striptags, it also does not work, as it removes the tags ! (I know that you can allow tags, but the fact is, if I allow any tags, such as <a></a> , people can add malicious JS to it.

Is there anything I can do to use html tags but without XSS implementation? I planned a function: xss() and with this I installed my site template. It returns an escape string. (I just need help with acceleration :))

Thanks!

+4
source share
1 answer

Related: Preventing XSS, but still allowing some HTML in PHP

Sample code from HTMLPurifier Docs :

 require_once '/path/to/HTMLPurifier.auto.php'; $config = HTMLPurifier_Config::createDefault(); $purifier = new HTMLPurifier($config); $clean_html = $purifier->purify($dirty_html);

This code can be used as a reference in your xss(...) method.

+3
source

Source: https://habr.com/ru/post/1440386/

More articles:


All Articles