问题
I am building a blog and currently im finishing the admin panel.
Since i will be mostly who will be managing it... i want to make sure that when i type
<ul>
<li>test</li>
<li>test</li>
</ul>
will show me the unordered list but also prevent XSS tags just in case...
how could i do that?
could a solution be creating functions and replace the tags of ul, ol, img etc...?
回答1:
Check this url - http://refactormycode.com/codes/333-sanitize-html
There is another useful thread on the issue and how to handle this - What is the best way to store WMD input/markdown in SQL server and display later?
回答2:
What you are looking for is an HTML sanitizer. These are very hard to write correctly, so you should look at an existing library. For PHP, have a look at HTML Purifier.
Proper XSS protection involves more than html sanitizing. The Open Web Application Security Project (OWASP) has put together a canonical guide to avoiding XSS attacks:
XSS (Cross Site Scripting) Prevention Cheat Sheet
回答3:
The standard way to deal with XSS while allowing HTML is to:
- run the HTML through a (real) HTML parser
- delete any element or attribute that isn't on a whitelist (use a third party whitelist as a starting point, do research on any additional elements/attributes you add to make sure they don't have means to inject JS that you don't know about).
- sanity check any URIs
- generate clean HTML from the DOM
The specifics will depend on the language you are using.
来源:https://stackoverflow.com/questions/9826970/prevent-xss-but-allow-all-html-tags