开发者

How to allow some tags but block others for XSS

开发者 https://www.devze.com 2023-03-03 12:39 出处:网络
I want to allow some tags like &l开发者_运维百科t;p> <ul> <li> <b> <strong> I have a specific list. But I also want to protect from XSS attacks so I need to use escaping. Ho

I want to allow some tags like &l开发者_运维百科t;p> <ul> <li> <b> <strong> I have a specific list. But I also want to protect from XSS attacks so I need to use escaping. How can I do it so that I allow those specific tags, but escape everything else?


Most frequently recommended is HTMLPurifier, because that contains heaps of workarounds to prevent all kinds of XSS abuse. It filters out tags and attributes that other solutions might miss. It's a bit of configuration work, and maybe overkill in some settings. But it's certainly the safest approach.

You can configure an allowed list with it, but you could as well still apply the strip_tags() method by @yc. But not alone by itself! Only in conjunction with HTMLPurifier!


There's a function in Drupal called filter_xss that you can use as a (fantastic) example if you want something sophisticated. Otherwise just use the strip_tags function.

0

精彩评论

暂无评论...
验证码 换一张
取 消