Avoid XSS with BBode input and HTML output

Question

Avoid XSS with BBode input and HTML output

I am currently working on a website where users can write articles with small format features (e.g. bold, italics, list ...). I use the framework: CodeIgniter.

I am a newbie and I heard something about XSS. I would like to know what you think about my implementation. I read this topic: What is the best method for sanitizing user input using PHP?

1) The user writes his article, format it using BBCode. I am using SCEditor.

2) When saving it to the database, I use htmlspecialchars () to filter out any suspicious HTML tag. Should I do this when I save data or show data?

3) When I want to display an article on a website (for example, for other purposes), I convert BBCode tags to HTML tags.

Is this right to do? Am I avoiding XSS?

I am obviously open to suggestions and advice.

thank you for your responses

+6

html codeigniter xss bbcode htmlspecialchars

user2500511 Jun 19 '13 at 9:55

source share

3 answers

Mehdi jalal · Answer 1 · 2013-06-19T10:07:06+0000

Codeigniter for validation has an xss property that all of these employees will execute

$this->form_validation->set_rules('username', 'Username', 'trim|required|min_length[5]|max_length[12]|xss_clean');

check codeigniter validation form:

http://ellislab.com/codeigniter/user-guide/libraries/form_validation.html

user2417012 · Answer 2 · 2013-06-22T20:44:37+0000

I “find and replace” using PHP, but I don’t think this is the most efficient way to do this.

 <?php $malicious = "<script>alert(1)</script>"; $malicious = str_ireplace("<", "", $malicious); $malicious = str_ireplace(">", "", $malicious); echo $malicious; ?>

Dibsyhex · Answer 3 · 2013-07-27T19:33:26+0000

 <?php $malicious = "<script>alert(1)</script>"; $malicious = strip_tags($malicious); $malicious = htmlentities($malicious, ENT_QUOTES); echo $malicious; ?>

Avoid XSS with BBode input and HTML output

More articles: