How do I ensure user input is CSS and not malicious code?

后端 未结 3 1234
自闭症患者
自闭症患者 2021-01-18 01:54

On my website I want to include a text box that will allow the members to change anything they want css wise on their profiles....but I don\'t want to wake up one morning to

3条回答
  •  囚心锁ツ
    2021-01-18 02:42

    I guess this should be enough

    $style = $_POST['style'];
    
    $style = strip_tags($style);
    
        $forbiddenStuff = array(
            '-moz-binding',
            'expression',
            'javascript:',
            'behaviour:',
            'vbscript:',
            'mocha:',
            'livescript:',
        );
    
        $style = str_ireplace($forbiddenStuff, '', $style);
    

    store $style in db , and render on user profile.

    Please note that this solution is copied from a well known software and which has a big community, so i hope this should be perfect.

提交回复
热议问题