如何让我的用户插入HTML代码,而没有风险? (不仅是技术风险) [英] How can I allow my user to insert HTML code, without risks? (not only technical risks)
问题描述
我开发了一个Web应用程序,它允许我的用户在LAMP环境(debian,apache,php,mysql)中动态地管理网站的某些方面(是的,某种类型的cms)
嗯,例如,他们在我的服务器上的私人区域创建了一条新闻,然后通过cURL请求(或ajax)在其网站上发布。
这个消息是用一个所见即所得的编辑器创建的(现在是fck,在未来可能是tinyMCE)。
所以,我不能禁止html标签,但我怎么能安全?
我必须删除哪些标签(javascripts?)?
这意味着服务器安全......但如何在法律上是安全的?
如果用户使用我的应用程序来制作xss,我可能会遇到一些法律问题吗?
使用php,一个优秀的解决方案是使用 HTMLPurifier 。它有很多选项来过滤不好的东西,并且作为副作用,可以保证格式良好的html输出。我用它来查看可能是恶劣环境的垃圾邮件。
I developed a web application, that permits my users to manage some aspects of a web site dynamically (yes, some kind of cms) in LAMP environment (debian, apache, php, mysql)
Well, for example, they create a news in their private area on my server, then this is published on their website via a cURL request (or by ajax).
The news is created with an WYSIWYG editor (fck at moment, probably tinyMCE in the next future).
So, i can't disallow the html tags, but how can i be safe? What kind of tags i MUST delete (javascripts?)? That in meaning to be server-safe.. but how to be 'legally' safe? If an user use my application to make xss, can i be have some legal troubles?
If you are using php, an excellent solution is to use HTMLPurifier. It has many options to filter out bad stuff, and as a side effect, guarantees well formed html output. I use it to view spam which can be a hostile environment.
这篇关于如何让我的用户插入HTML代码,而没有风险? (不仅是技术风险)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!