How can I allow WYSIWYG editors and disable XSS attacks using Laravel?

前端 未结 5 1171
你的背包
你的背包 2021-02-08 22:31

I have a enterprise level application where logged in users are authorized to post articles to page using a WYSIWYG editor. (You can consider this application as a website build

相关标签:
5条回答
  • 2021-02-08 23:07

    i do'nt know how feasible this is for you, but one quick and easy solution is to use httpOnly cookies . It resolves XSS attacks via injection of malicious javascript as those cookie are not accessible to javascript.You can try to put senstive data in httpOnly cookies and not so sensitive data in normal cookie. See this : http://www.codinghorror.com/blog/2008/08/protecting-your-cookies-httponly.html

    0 讨论(0)
  • 2021-02-08 23:10

    I beleive that xss attacks are an output problem.

    There is no security risk if you store

    <script>alert('Hacking your website in 3...2...')</script>

    in your database - it is just text - it doesnt mean anything. I encourage escaping all output, regardless where it came from. Here is a good discussion with further points on why you should filter output, not input:

    html/XSS escape on input vs output

    0 讨论(0)
  • 2021-02-08 23:18

    Can you run everything through strip_tags and just allow the minimum tags possible?

    You may also want to look at html purifier which should give you more options including control over css

    What I usually do is save two copies of the WYSIWYG content:

    1. the original unfiltered content
    2. the filtered content

    This allows me to reprocess the original content if I find that something vital has been stripped out and also show the user their original html when editing. Obviously I display the filtered content wherever it is displayed on the site.

    0 讨论(0)
  • 2021-02-08 23:28

    You can use a tag system similar to the BBCode or Markdown to allow your users to do certain operation. This way, you can be sure the input will be sanitized against EVERY kind of malicious script, just use a lexer and a XSS protection when displaying user content.

    EDIT: To see what i mean, you can use CKEditor as your WYSIWYG editor, in conjunction with the BBCode plugin:

    0 讨论(0)
  • 2021-02-08 23:28

    using Laravel you might also have to sanitize for blade template stuff. You don't want users entering in stuff like: {{{phpInfo()}}}.

    Building a WYSIWYG editor requires the users to have some level of trust. If you don't trust the users at all your best option is what is mentioned earlier using custom tags.

    0 讨论(0)
提交回复
热议问题