如何过滤像SO这样的危险HTML？ [英] How do I filter out Dangerous HTML like SO does?

问题描述

我想在我的网站上提供一个HTML编辑器，但不想让自己面对xss或其他允许用户生成HTML的攻击。<​​/ p>

<这与Stack Overflow的功能非常相似。 HTML如何在这里检查/消毒，以便样式信息仍然存在，而其他更危险的东西（比如javascript，iframe等）被排除在外？

是否有任何库（最好在PHP中）已经这样做？解析方案

PHP有一个函数 strip_tags 可从字符串中去除HTML和PHP标记，并允许您指定某些允许的标记。但作为 @webarto 状态，有图书馆可以更好地执行此操作。

从 PHP手动。

I want to provide an HTML editor on my site, but don't want to open myself up to xss or other attacks that come with allowing user-generated HTML.

This is pretty similar to what Stack Overflow does. How is the HTML checked/sanitized here so that the styling information still remains, while other, more dangerous stuff (like javascript, iframes, etc.) are kept out?

Are there any libraries (preferably in PHP) that already do this?

解决方案

PHP has a function strip_tags that strips HTML and PHP tags from a string, and allows you to specify certain allowable tags. But as @webarto states, there are libraries that do this better.

From the PHP Manual.

这篇关于如何过滤像SO这样的危险HTML？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！