I have an enterprise-level application where registered users are allowed to post articles to a page using the WYSIWYG editor. (This app can be thought of as a website creator.)
Everything works fine, but there are problems;
The WYSIWYG editor publishes an HTML article, as well as some localized string characters that Laravel doesn't like, so the Laravel alpha_num check cannot pass. (Therefore, we do not use it when checking validation.)
We need to allow characters like < , " , > because they may want to make some basic style using the WYSIWYG editor, so htmlspecialchars() not an option when echoing / sanitizing values, because harmful things like <br> break
Users can post things like <script type="text/javascript>alert('Hello');</script> or </div></div></div><div style="width: 100%, height: 100% z-index: 999999"> . I know that this is a huge security risk, but we cannot secure / avoid anything at all. Users will still be able to write <s<!---->cript> and pass the check.
So, in a word, we cannot rely on some of the built-in functions of Laravel and PHP. We also cannot disable the WYSIWYG editor because it is often used in most areas of the oral application.
What is the best way to avoid this?
I am thinking of creating a custom rule on top of alpha_num in Laravel, which will be called alpha_num_localised_characters_plus_allowed_html_tags and will add this rule to any input containing the WYSIWYG editor.
Is this a good way? Is there a better alternative? How do you deal with such problems yourself?
Note. Please note: we have already developed an application with a huge size, we will rely on the fastest and most convenient solution for you.
source share