HTML Purifier清除事件属性 [英] HTML Purifier to clean event attributes

问题描述

我正在努力解决一些存储的XSS漏洞，并且正在使用HTMLPurifier.我在页面上有一个输入框，如果我输入'"onclick =" alert(1);，该代码将保存到数据库中并在客户端上执行.即使在通过Purifier运行输入和输出后，也会发生这种情况.似乎HTMLpurifier仅在包含在html标记中时才剥离这些attr.我想知道是否有一些用于purifier的配置将仅剥离事件attr或有关如何清除这些attr的任何其他建议.

I'm working to address some Stored XSS vulnerabilities and I am using HTMLPurifier. I have an input box on the page and if I type '" onclick="alert(1);" the code is saved to the database and executed on the client. This is happening even after running the input and output through purifier. It seems as if HTMLpurifier only strips these attr when included within html tag. I'm wondering if there is some config for purifier that will strip just the event attr's or any other suggestions on how to cleans these up.

推荐答案

HTML Purifier纯粹用于在页面上用作HTML的内容.例如，将内容放入HTML元素的属性中，这种方法不适用于验证内容.

HTML Purifier is purely intended for use on content which will be used as HTML on a page. It is not appropriate for validating content which, for example, will go in an attribute for an HTML element.

您可以使用HTML Purifier的一些内部API来验证这种情况下的内容.但是，对于注释中引用的示例，您只需要 htmlspecialchars 做正确的事情.验证器的正确选择取决于您将内容放入哪个属性.

You can use some internal APIs of HTML Purifier to validate content for this case. However, for the example quoted in the comments, all you need is htmlspecialchars to do the right thing. The right choice of validator depends on what attribute you put the content in.

这篇关于HTML Purifier清除事件属性的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！