删除XSS攻击,同时仍允许html? [英] Remove XSS attacks while still allowing html?
问题描述
好吧,现在我有一个难题,我需要允许用户插入原始HTML,但还要阻止所有JS-不仅是脚本标签,而且从href等中也可以.
Ok, now I have a dilemma, I need to allow users to insert raw HTML but also block out all JS - not just script tags but from the href etc. at the moment, all I know of is
htmlspecialchars($string, ENT_QUOTES, 'UTF-8');
但这也会将有效标签转换为编码字符.如果我使用剥离标签,由于它 删除 标签,它也无法使用! (我知道您可以允许使用标签,但事实是,如果我允许任何标签,例如<a></a>
人们可以向其中添加恶意JS.
But this also converts valid tags into encoded characters. If I use striptags, it also doesn't work as it removes tags! (I know that you can allow tags but the thing is if I allow any tags such as <a></a>
people can add malicious JS to it.
是否可以做些允许html标签但没有XSS注入的事情?我已经计划了一个功能:xss()
,并以此设置了我网站的模板.它返回转义的字符串. (我只需要有关转义的帮助:))
Is there anything I can do to allow html tags but without the XSS injection? I have planned a function: xss()
and have setup my site's template with that. It returns the escaped string. (I just need help with escaping :))
谢谢!
推荐答案
require_once '/path/to/HTMLPurifier.auto.php';
$config = HTMLPurifier_Config::createDefault();
$purifier = new HTMLPurifier($config);
$clean_html = $purifier->purify($dirty_html);
您可以在xss(...)
方法中将该代码用作参考.
You can use that code as a reference in your xss(...)
method.
这篇关于删除XSS攻击,同时仍允许html?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!