发表新帖
发表新帖

PHP Markdown XSS Sanitizer

前端 未结
关注
4 664
情话喂你
情话喂你 2020-12-07 02:42

I\'m looking for a simple PHP library that helps filter XSS vulnerabilities in PHP Markdown output. I.E. PHP Markdown will parse things such as:

[XSS Vulnera
相关标签:
4条回答
  • 梦谈多话
    2020-12-07 03:11

    There is no such thing as too robust. “Sanitising” HTML is hard. Any corners you cut to process it more simply are likely to result in exploits sneaking through. Even complicated old HTMLPurifier, with its best-of-breed reputation, has had multiple ways of sneaking dangerous markup through in the past!

    However, if your text-markup solution is capable of outputting dangerous HTML then it is deficient and should be replaced IMO. If PHP Markdown allows javascript: URLs through then that's a pretty lamentable, basic flaw and I don't think I'd trust it to get anything else right.

    0 讨论(0)
  • 遇见更好的自我
    2020-12-07 03:14

    I've never heard of any other tool than HTML Purifier, to do that -- and HTML Purifier does indeed have a good reputation.

    Maybe it's "a bit robust" and "a pain to configure", yes ; but it's also probably the most used, and tested, solution available in PHP ;; and those are important criteria when you have to choose such an important component.

    Even if it means investing half a day to configure it properly, if I were in your situation, I would probably choose HTML Purifier.

    0 讨论(0)
  • 遥遥无期
    2020-12-07 03:18

    HTMLPurifier is a fine answer and perhaps the most robust solution.

    It is also possible to use Markdown in a relatively safe way, but you have to use it in the right way. For details on how to use Markdown securely, look here. See the link for details about how to use it safely, but the short version is: it is important to use the latest version, to set safe_mode, and to set enable_attributes=False.

    0 讨论(0)
  • 予麋鹿
    2020-12-07 03:21

    I had a suggestion, and I asked on SO to find out if it would work but unfortunately, it was closed and marked as a duplicate to this question.

    My suggestion is modifying markdown's code and allowing only links and image sources to start with http://, https:// or ftp:// which covers all the common protocols required. If the link doesn't start with one of these, then it should be left unchanged in the output.

    0 讨论(0)
 看不清?
提交回复
热议问题