PHP Markdown XSS消毒剂 [英] PHP Markdown XSS Sanitizer

问题描述

我正在寻找一个简单的PHP库，该库有助于过滤PHP Markdown输出中的XSS漏洞. IE. PHP Markdown将解析诸如以下内容:

I'm looking for a simple PHP library that helps filter XSS vulnerabilities in PHP Markdown output. I.E. PHP Markdown will parse things such as:

[XSS Vulnerability](javascript:alert('xss'))

我一直在做一些阅读，在此主题上找到的最好的是这个问题.

I've been doing some reading around and the best I've found on the subject here was this question.

尽管HTML Purifier看起来是最好的(几乎是唯一的)解决方案，但我想知道是否有更通用的解决方案? HTML Purifier似乎有些健壮，尤其是满足我的需求，并且配置起来很麻烦，尽管这样做似乎效果很好.

Although HTML Purifier looks like the best (nearly only) solution I was wondering if there was anything out there more general? HTML Purifier seems to be a bit robust especially for my needs, as well as a pain to configure, though it looks like it'd work excellent after doing so.

是否还有其他功能可能没有那么健壮和可配置，但仍然做得不错?还是应该深入研究并开始尝试为我的需求配置HTML Purifier?

Is there anything else out there that may be a little less robust and configurable but still do a solid job? Or should I just dig in and start trying to configure HTML Purifier for my needs?

编辑清晰度:我不是想偷工减料或类似之类的东西. HTML Purifier只是提供了许多细粒度的控件，对于一个简单的小项目，只是不需要很多控件，尽管也不使用任何选项也不是.这是我问简单或不那么坚固的地方.

EDIT FOR CLARITY: I'm not looking to cut corners or anything of the like. HTML Purifier just offers a lot of fine grained control and for a simple small project that much control just simply isn't needed, though using nothing isn't an option either. This is where I was coming from when asking for something simpler or less robust.

最后一点，我不正在寻找使用htmlspecialchars()，strip_tags()或类似名称的建议.我已经通过以类似方式对其进行消毒来禁止将HTML嵌入到PHP Markdown Extra中.我正在寻找防止PHP Markdown OUTPUT中的XSS漏洞的方法.

Also a final note, I'm NOT looking for suggestions to use htmlspecialchars(), strip_tags() or anything of the like. I already disallow imbedded HTML in PHP Markdown Extra by sanitizing it in a similar fashion. I'm looking for ways to prevent XSS vulnerabilities in PHP Markdown OUTPUT.

谢谢.

推荐答案

除了 HTML Purifier ，这样做-HTML Purifier确实具有良好的声誉.

I've never heard of any other tool than HTML Purifier, to do that -- and HTML Purifier does indeed have a good reputation.

也许是"有点健壮"和"难以配置"，是的；但它也可能是PHP中使用最多，测试最充分的解决方案；而当您必须选择如此重要的组件时，这些是重要的标准.

Maybe it's "a bit robust" and "a pain to configure", yes ; but it's also probably the most used, and tested, solution available in PHP ;; and those are important criteria when you have to choose such an important component.

即使意味着要花半天的时间来进行正确配置，如果我遇到您的情况，我可能还是会选择HTML Purifier.

Even if it means investing half a day to configure it properly, if I were in your situation, I would probably choose HTML Purifier.

这篇关于PHP Markdown XSS消毒剂的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！