WMD Markdown和服务器端 [英] WMD Markdown and server-side
问题描述
最近2天,我在 WMD 和
要清理" HTML,可以使用 基本上,它允许您指定允许使用的标签/属性,仅保留这些标签/属性. 它还会输出有效的(X)HTML代码作为输出-很好. 您可以在演示页面上看到一个示例,该示例几乎正是您发布的XSS ,btw;-) 例如,您可以尝试使用这种HTML: 输出为: 带有XSS的 它可能无法解决所有问题,但是如果您让用户可以输入HTML,那么它肯定有用吗?(我敢说这是必须的吗?"). > I have worked the last 2 days on WMD and Markdown, and I don't find THE solution for stock data with security. I would like users to be able to post HTML/XML <code> (with WMD) on my site. For the moment, I stock data in the Markdown format, but if I disable JavaScript the user can easily push XSS. If I In my opinion I must After, what can I do to forbid XSS attributes:
To "clean" your HTML, you could use a tool like Basically, it allows you to specify which tags/attributes are allowed, an only keeps those. It also produces valid (X)HTML code as ouput -- which is nice. You can see on the demo page there is an example that is almost exactly the XSS you posted, btw ;-) For instance, you can try with some HTML like this one : The output is : The It might not solve all your problems, but if you are giving users the possiblity to input HTML, is it definitly useful (would I dare saying "it's a must-have" ? ) 这篇关于WMD Markdown和服务器端的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!HTML Purifier
test <img src="javascript:evil();" onload="evil();" />
test <img src="http://www.google.com/a.Png" /> test2
test test <img src="http://www.google.com/a.Png" alt="a.Png" /> test2
img
标记未保留;另一个有;并且添加了alt
属性,使其符合标准.strip_tags
or html_entities
all data I lose the user HTML/XML <code>. How can I do it?html_entities
just the code between pre /pre, but how?! My data is in Markdown.<img src="javascript:alert('xss');" />
HTML Purifier
test <img src="javascript:evil();" onload="evil();" />
test <img src="http://www.google.com/a.Png" /> test2
test test <img src="http://www.google.com/a.Png" alt="a.Png" /> test2
img
tag with XSS has not been kept ; the other one has ; and there's been an alt
attribute added, to be standard-compliant.