开发者

Best Settings for Html purify

开发者 https://www.devze.com 2023-02-14 04:54 出处:网络
I would like to use PHP-based tool HTML Purifier on a textbox to prevent xss but I would like to allow the following:

I would like to use PHP-based tool HTML Purifier on a textbox to prevent xss but I would like to allow the following:

  1. basic tags like <b>,<i>,<u>
  2. links
  3. images

I would like to block all CSS and开发者_如何学JAVA JavaScript. I just tried HTML Purifier and it failed on this case. Just see this example. How can I take care of this?

Also I would want all words of the form #abcd and @abcd to be replaced with custom html (as you would have guessed it a link). Is it possible with this or do I have to do my own replace?


Set HTML.Allowed to something like b,i,u,a[href],img[src|alt]

See here.


Regular expressions and e modifier


function checkTag( $tag ) {
  $tag = removeslashes( $tag );

  ...

  return $secureTag;
}

$html = preg_replace( "/<[^>]+>/e", " checkTag( '\$0' )", $input );


PHP has a built-in function that seems to do exactly what you want.

http://php.net/manual/en/function.strip-tags.php

It even has a whitelist feature so it can allow some tags.

For the #abcd and the @abcd part I think you will have to use a preg_replace() for that. I have used a similar function and it does the @abcd part very well :).

$sClickText = preg_replace("/\@([a-zA-Z0-9_])+/",' <a href="#reply" onClick="reply(\'' . "$0" . '\')">' . "$0" . '</a>',$sInputText);
0

精彩评论

暂无评论...
验证码 换一张
取 消

关注公众号