有没有好的基于PHP的HTML过滤器可用? [英] Are there any good PHP based HTML filters available?
问题描述
我目前正在一个PHP前端项目中。我们非常关心安全问题,因为我们会有相当多的用户,并且是黑客的有吸引力的目标。我们的用户可以提交HTML格式的内容,稍后其他用户可以看到它。这是一个很大的问题,因为我们容易受到整套XSS攻击的影响。我们正在过滤尽可能好的,但各种攻击媒介是相当大的。
因此,我正在寻找基于PHP的HTML消毒/过滤解决方案。商业解决方案很好(甚至是首选)。目前我们正在使用修改后的HTML净化器,但我们对结果并不满意。
有什么好的库/工具可以过滤HTML的恶意文件?
例如HTML5的认知度,一旦它疯狂出现,它将成为安全噩梦。
更新:
我们正在对 HTML净化器进行深入配置。它看起来像我们以前使用的旧框架根本就没有配置它。现在结果看起来好多了。
HTML Purifier项目
我个人用 HTML Purifier项目取得了非常好的结果
它具有很高的可定制性,并且具有庞大的代码库。唯一的问题是上传文件到你的服务器。
你确定你的安装没有配置问题吗?如果配置正确,净化器不应该让任何HTML标签通过。
来自网站:
HTML Purifier是用PHP编写的符合标准的
HTML过滤器库。
HTML Purifier不仅会删除所有
恶意代码(更为人熟知的是
XSS),而且还会带有经彻底审计的
安全但宽松的白名单,它将
还要确保您的文档符合
标准,只需
就可以获得全面的bbb知识,即W3C的规范。
由于
而厌倦了使用BBCode当前的缺陷或
不安全的HTML过滤器?有一个
所见即所得的编辑器,但从来没有能够使用它
?寻找高质量,符合
标准的开源
组件,您正在构建该应用程序
? HTML Purifier用于
你!
我写了一篇关于如何使用带有CodeIgniter的HTML净化器库。 / p>
也许它有助于再次尝试:
//根据需要加载配置并覆盖缺省值
$ config = HTMLPurifier_Config :: createDefault();
$ config-> set('HTML','Doctype','XHTML 1.0 Transitional');
$ config-> set('HTML','AllowedElements','a,em,blockquote,p,strong,pre,code');
$ config-> set('HTML','AllowedAttributes','a.href,a.title');
$ config-> set('HTML','TidyLevel','light');
I am currently in a project with a PHP frontend. We're pretty concerned about security, because we'll have quite a lot of users and are an attractive target for hackers. Our users are able to submit HTML formatted content that is visible to other users later. This is a big problem because we're vulnerable for the whole set of XSS attacks. We're filtering as good as we can, but the variety of attack vectors is pretty big.
So, I'm searching for PHP based HTML sanitizing/filtering solutions. Commercial solutions are fine (even preferred). Currently we're using a modified HTML purifier, but we're not satisfied with the results.
What are some good libraries/tools that are capable of filtering malicious parts of HTML?
It is nice to have for example HTML5 awareness, which will become a security nightmare once it's available "in the wild".
Update: We're doing an in-depth configuration of HTML Purifier. It looks like the older framework we used before was just not configuring it at all. Now the results look much better.
HTML Purifier project
Personally I have had very good results with the HTML Purifier project
It is highly customizable and has a huge code base. The only issue is uploading the files to your server.
Are you sure you have not got a configuration issue with your installation? As the purifier should not let through any HTML tags at all if configured correctly.
From the web site:
HTML Purifier is a standards-compliant HTML filter library written in PHP. HTML Purifier will not only remove all malicious code (better known as XSS) with a thoroughly audited,
secure yet permissive whitelist, it will also make sure your documents are standards compliant, something only achievable with a comprehensive knowledge of W3C's specifications.
Tired of using BBCode due to the current landscape of deficient or
insecure HTML filters? Have a
WYSIWYG editor but never been able to use it? Looking for high-quality, standards-compliant, open-source components for that application you're building? HTML Purifier is for you!
I wrote an article about how to use the HTML purifier library with CodeIgniter here.
Maybe it will help with giving it another try:
// load the config and overide defaults as necessary
$config = HTMLPurifier_Config::createDefault();
$config->set('HTML', 'Doctype', 'XHTML 1.0 Transitional');
$config->set('HTML', 'AllowedElements', 'a,em,blockquote,p,strong,pre,code');
$config->set('HTML', 'AllowedAttributes', 'a.href,a.title');
$config->set('HTML', 'TidyLevel', 'light');
这篇关于有没有好的基于PHP的HTML过滤器可用?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
