发表新帖
发表新帖

Are there any good PHP based HTML filters available?

后端 未结
关注
7 1801
死守一世寂寞
死守一世寂寞 2020-12-30 07:01

I am currently in a project with a PHP frontend. We\'re pretty concerned about security, because we\'ll have quite a lot of users and are an attractive target for hackers. O

相关标签:
7条回答
  • 再見小時候
    2020-12-30 07:15

    HTMLPurifier probably works—but let me just say that the folder structure is over-complicated and pompous. Hundreds of lines of comments, a folder called "test", a license file, read-mes and info files, images, ANOTHER folder for smoketesting (which is downright abusive), extras, configs, benchmarks—and to top it all off, about 10 different CMS compatibility modes, testimonials on their website, full versions, lite versions, husky, mildly-chubby, down-syndrome and the full spectrum of politically correct programatical variations.

    0 讨论(0)
  • 猫巷女王i
    2020-12-30 07:21

    I can really recommend kses for HTML filtering. Actually that's what wordpress uses. Its free and open source.

    0 讨论(0)
  • 一整个雨季
    2020-12-30 07:22

    CodeIgniter has an excellent XSS filter, you could rip it out of the system/libraries/Input.php file if you wanted it as a standalone function.

    0 讨论(0)
  • 刺人心
    2020-12-30 07:31

    HTML Purifier project

    Personally I have had very good results with the HTML Purifier project

    It is highly customizable and has a huge code base. The only issue is uploading the files to your server.

    Are you sure you have not got a configuration issue with your installation? As the purifier should not let through any HTML tags at all if configured correctly.

    From the web site:

    HTML Purifier is a standards-compliant HTML filter library written in PHP. HTML Purifier will not only remove all malicious code (better known as XSS) with a thoroughly audited,
    secure yet permissive whitelist, it will also make sure your documents are standards compliant, something only achievable with a comprehensive knowledge of W3C's specifications.
    Tired of using BBCode due to the current landscape of deficient or
    insecure HTML filters? Have a
    WYSIWYG editor but never been able to use it? Looking for high-quality, standards-compliant, open-source components for that application you're building? HTML Purifier is for you!

    I wrote an article about how to use the HTML purifier library with CodeIgniter here.

    Maybe it will help with giving it another try:

    // load the config and overide defaults as necessary
$config = HTMLPurifier_Config::createDefault();
$config->set('HTML', 'Doctype', 'XHTML 1.0 Transitional');
$config->set('HTML', 'AllowedElements', 'a,em,blockquote,p,strong,pre,code');
$config->set('HTML', 'AllowedAttributes', 'a.href,a.title');
$config->set('HTML', 'TidyLevel', 'light');
    0 讨论(0)
  • 悲哀的现实
    2020-12-30 07:33

    kses works well. You can easily specify which elements to allow and disallow, so making it ‘HTML5-aware’ would just be a matter of setting an array.

    WordPress uses it, so I guess it’s pretty safe ;)

    0 讨论(0)
  • 星月不相逢
    2020-12-30 07:33

    I've used this class before and had pretty decent success: http://www.phpclasses.org/browse/package/2189.html

    0 讨论(0)
 看不清?
提交回复
热议问题