删除XSS攻击，同时仍允许html? [英] Remove XSS attacks while still allowing html?

问题描述

好吧，现在我有一个难题，我需要允许用户插入原始HTML，但还要阻止所有JS-不仅是脚本标签，而且从href等中也可以.

Ok, now I have a dilemma, I need to allow users to insert raw HTML but also block out all JS - not just script tags but from the href etc. at the moment, all I know of is

htmlspecialchars($string, ENT_QUOTES, 'UTF-8');

但这也会将有效标签转换为编码字符.如果我使用剥离标签，由于它 删除 标签，它也无法使用！ (我知道您可以允许使用标签，但事实是，如果我允许任何标签，例如<a></a>人们可以向其中添加恶意JS.

But this also converts valid tags into encoded characters. If I use striptags, it also doesn't work as it removes tags! (I know that you can allow tags but the thing is if I allow any tags such as <a></a> people can add malicious JS to it.

是否可以做些允许html标签但没有XSS注入的事情?我已经计划了一个功能:xss()，并以此设置了我网站的模板.它返回转义的字符串. (我只需要有关转义的帮助:))

Is there anything I can do to allow html tags but without the XSS injection? I have planned a function: xss() and have setup my site's template with that. It returns the escaped string. (I just need help with escaping :))

谢谢！

推荐答案

相关:来自 HTML净化器文档的示例代码:

require_once '/path/to/HTMLPurifier.auto.php';

$config = HTMLPurifier_Config::createDefault();
$purifier = new HTMLPurifier($config);
$clean_html = $purifier->purify($dirty_html);

您可以在xss(...)方法中将该代码用作参考.

You can use that code as a reference in your xss(...) method.

这篇关于删除XSS攻击，同时仍允许html?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！