Home >Backend Development >PHP Tutorial >javascript - How to prevent xss injection in rich text editor?

javascript - How to prevent xss injection in rich text editor?

WBOY
WBOYOriginal
2016-08-20 09:04:072598browse

If the html tag is filtered to prevent xss injection, the function of the rich text editor will be gone and it will be filtered together. If the html is retained, it will not prevent xss injection.
How to deal with this problem normally? ? ? Filter only specific tags? ? ?

Reply content:

If the html tag is filtered to prevent xss injection, the function of the rich text editor will be gone and it will be filtered together. If the html is retained, it cannot prevent xss injection.
How do you normally deal with this problem? ? ? Filter only specific tags? ? ?

HTML Purifier is an HTML filter written in PHP, which can be used with a WYSIWYG editor to filter out XSS malicious code.

<code><?php
require dirname(__FILE__).'/htmlpurifier/library/HTMLPurifier.auto.php';
$purifier = new HTMLPurifier();
echo $purifier->purify($html);</code>

I think whitelist is good, just keep the tags you want to use and filter everything else

You don’t need to filter whatever functions your rich text editor supports. Just filter other ones. When you receive a p tag, do you still have to distinguish whether it was added using your editor or manually?

Is it okay to stipulate that you need to use your own new set of grammar?

Just filter out the js script

Escaped to entity characters when entering the database
Restored when exporting.
And filter out
<script></script>
javascript:xxx;
this kind

Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn