WMD Markdown and server-side

核能气质少年 提交于 2019-12-08 02:11:44

问题


I have worked the last 2 days on WMD and Markdown, and I don't find THE solution for stock data with security. I would like users to be able to post HTML/XML <code> (with WMD) on my site.

For the moment, I stock data in the Markdown format, but if I disable JavaScript the user can easily push XSS. If I strip_tags or html_entities all data I lose the user HTML/XML <code>. How can I do it?

In my opinion I must html_entities just the code between pre /pre, but how?! My data is in Markdown.

After, what can I do to forbid XSS attributes:

<img src="javascript:alert('xss');" />

回答1:


To "clean" your HTML, you could use a tool like HTML Purifier

Basically, it allows you to specify which tags/attributes are allowed, an only keeps those.

It also produces valid (X)HTML code as ouput -- which is nice.

You can see on the demo page there is an example that is almost exactly the XSS you posted, btw ;-)

For instance, you can try with some HTML like this one :

test <img src="javascript:evil();" onload="evil();" /> 
test <img src="http://www.google.com/a.Png" /> test2

The output is :

test  test <img src="http://www.google.com/a.Png" alt="a.Png" /> test2

The img tag with XSS has not been kept ; the other one has ; and there's been an alt attribute added, to be standard-compliant.

It might not solve all your problems, but if you are giving users the possiblity to input HTML, is it definitly useful (would I dare saying "it's a must-have" ? )



来源:https://stackoverflow.com/questions/1174114/wmd-markdown-and-server-side

标签
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!