All geek questions in one place

Sanitize HTML5 with PHP (prevent XSS)

I am creating a WYSIWYG editor with HTML5 and Javascript. I will allow users to publish pure HTML through WYSIWYG, so it needs to be sanitized.

A major task, such as protecting a site from cross-site scripting (XSS), is becoming a difficult task because there is no updatable filter and filter for PHP.

The HTML cleaner does not support HTML5 at the moment, and the general status looks very poor (HTML5 support is not suitable any time soon).

So how should I sanitize untrusted HTML5 with PHP (backend)?

Options so far ...

Are there any other options? Is PHP dying?;)

+4
source share
2 answers

PHP offers parsing methods to protect against PHP / SQL code injection (i.e. mysql_real_escape_string()). This does not apply to HTML / CSS / JavaScript. Why?

First: The sole purpose of HTML / CSS / Javascript is to display information. To a large extent, you can accept certain HTML elements or reject them depending on your requirements.

-: - HTML/CSS/JS ( ) HTML. .

. , . , , BBCdode, . "" BBCode, .

BBCode- - ( ). WISIGIG / , , .

. HTML .

1

, , . , , HTML-, 100%.

, , , :

  • , , PHP strip_tags().
  • () PHP preg_replace() .
$string = "put some very dirty HTML here.";
$string = strip_tags($string, '<p><a><span><h1><li><ul><br>');
$string = preg_replace("/<([b-z][b-z0-9]*)[^>]*?(\/?)>/i",'<$1$2>', $string);
echo $string;

.

note: , href="". , [b-z][B-Z].

+1

, :

  mysql_real_escape_string(addslashes($_REQUEST['data']));

.

   stripslashes($data)

on read , , ,

  htmentities($data) on write


  html_entity_decode($data) on read
0

Source: https://habr.com/ru/post/1539161/

More articles:


All Articles