I use jWYSIWYG in the form that I create these messages in the database and wondered how you can prevent an attacker from trying to enter code into a frame?
Does the parenthesis editor (which I usually remove during the mail process) be needed to display styles?
I came across similar situations and I started using HTMLPurifier on my PHP server, which will prevent any attack vector that I can think of. It is easy to install and allows you to rename elements and attributes. It also prevents XSS attacks that may still exist when using htmlentities.
If the editor allows arbitrary HTML, you are fighting a lost battle, as users can simply use the editor to create their own malicious content.
, ( , stackoverflow), HTML, .
, , , .
, , , , . htmlentites , , . script, Kohana php input XSS:
htmlentites
input
http://svn.bitflux.ch/repos/public/popoon/trunk/classes/externalinput.php
Source: https://habr.com/ru/post/1750169/More articles:How to determine the IP address used by the client to connect to the INADDR_ANY listener socket in C - cкак отображать встроенные элементы в list_display? - djangoКонтиненты/Страны граничат с PostGIS (Polygon vs Linestring) - postgresqlVisual C ++ function suddenly 170 ms slower (4 times more) - c ++Exact floating point nuances - cIs it safe / best practice to create an account for an application using REST services? - securityWhy can Linq to Sql send changes fail for updates, despite the data in the changeset - .net-3.5https://translate.googleusercontent.com/translate_c?depth=1&pto=aue&rurl=translate.google.com&sl=ru&sp=nmt4&tl=en&u=https://fooobar.com/questions/1750172/what-happens-to-thread-as-ondestroy-is-called-when-device-is-rotated&usg=ALkJrhgGe6aZci-KQQULYRsoDygcHhgBRQHow can I make this text file in a list in MATLAB? - listHow to access a DIV from javascript if ASP.NET manages its identifier? - javascriptAll Articles