[英]Remove XSS attacks while still allowing html?
Ok, now I have a dilemma, I need to allow users to insert raw HTML but also block out all JS - not just script tags but from the href etc. at the moment, all I know of is 好吧,现在我有一个两难的境地,我需要允许用户插入原始HTML,但也阻止所有JS - 不仅仅是脚本标签,而是来自href等,我所知道的只是
htmlspecialchars($string, ENT_QUOTES, 'UTF-8');
But this also converts valid tags into encoded characters. 但这也将有效标签转换为编码字符。 If I use striptags, it also doesn't work as it removes tags!
如果我使用striptags,它也不起作用,因为它删除标签! (I know that you can allow tags but the thing is if I allow any tags such as
<a></a>
people can add malicious JS to it. (我知道你可以允许标签,但事情是,如果我允许任何标签,如
<a></a>
人们可以添加恶意JS。
Is there anything I can do to allow html tags but without the XSS injection? 有没有什么我可以做到允许HTML标签,但没有XSS注入? I have planned a function:
xss()
and have setup my site's template with that. 我已经计划了一个函数:
xss()
并设置了我的网站模板。 It returns the escaped string. 它返回转义字符串。 (I just need help with escaping :))
(我只需要帮助逃脱 :))
Thanks! 谢谢!
Related: Preventing XSS but still allowing some HTML in PHP 相关: 防止XSS但仍然允许PHP中的一些HTML
Example code from HTMLPurifier Docs : 来自HTMLPurifier文档的示例代码:
require_once '/path/to/HTMLPurifier.auto.php';
$config = HTMLPurifier_Config::createDefault();
$purifier = new HTMLPurifier($config);
$clean_html = $purifier->purify($dirty_html);
You can use that code as a reference in your xss(...)
method. 您可以在
xss(...)
方法中将该代码用作参考。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.