How to allow specific html tags?

Question

How to allow specific html tags?

I have a text box where the user can write an article. The article may contain text (bold and italics), links and YouTube videos. How can I enable these specific html tags and still send secure code preventing xss?

+6

html php xss

Michael Feb 12 '12 at 16:47

source share

2 answers

If you are looking for real XSS protection, I suggest using HTMLPurifier . Doing it yourself is quite difficult, if not impossible. And should have errors (/ holes) in it.

+1

Peeehaa Feb 12 '12 at 16:48

source share

Pascal martin · Accepted Answer · 2012-02-12T16:48:57+0000

I would use HTMLPurifier so that you only save HTML

It's really
and contains only the tags and attributes that you have selected to allow

I have to add that PHP provides the strip_tags() function, but this is not so good (quoting):

Because strip_tags() does not actually check HTML, partially or broken tags can remove more text / data than expected.

This function does not change any attributes in the tags that you allow the use of allowable_tags , including the style and onmouseover attributes, which an attacker can abuse when publishing text that will be displayed to other users.

How to allow specific html tags?

More articles: