删除XSS攻击,同时仍允许html?
[英]Remove XSS attacks while still allowing html?
问题描述
Ok, now I have a dilemma, I need to allow users to insert raw HTML but also block out all JS - not just script tags but from the href etc. at the moment, all I know of is 
好吧,现在我有一个两难的境地,我需要允许用户插入原始HTML,但也阻止所有JS - 不仅仅是脚本标签,而是来自href等,我所知道的只是
htmlspecialchars($string, ENT_QUOTES, 'UTF-8');
But this also converts valid tags into encoded characters. 但这也将有效标签转换为编码字符。 If I use striptags, it also doesn't work as it removes tags! 如果我使用striptags,它也不起作用,因为它删除标签! (I know that you can allow tags but the thing is if I allow any tags such as <a></a> people can add malicious JS to it. (我知道你可以允许标签,但事情是,如果我允许任何标签,如<a></a>人们可以添加恶意JS。
Is there anything I can do to allow html tags but without the XSS injection? 有没有什么我可以做到允许HTML标签,但没有XSS注入? I have planned a function: xss() and have setup my site's template with that. 我已经计划了一个函数: xss()并设置了我的网站模板。 It returns the escaped string. 它返回转义字符串。 (I just need help with escaping :)) (我只需要帮助逃脱 :))
Thanks! 谢谢!
1 个解决方案
解决方案1
3 已采纳 2012-10-17 20:06:42
Related: Preventing XSS but still allowing some HTML in PHP 相关: 防止XSS但仍然允许PHP中的一些HTML
Example code from HTMLPurifier Docs : 来自HTMLPurifier文档的示例代码:
require_once '/path/to/HTMLPurifier.auto.php';
$config = HTMLPurifier_Config::createDefault();
$purifier = new HTMLPurifier($config);
$clean_html = $purifier->purify($dirty_html);
You can use that code as a reference in your xss(...) method. 您可以在xss(...)方法中将该代码用作参考。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.