Reputation: 152
Show content from another site and security
I'd need to load an user given URL and display a div with my content after the content of the user given website.
Implementing this would be trivial:
$c = file_get_contents($url);
echo $c . $myDivCode;
However, wouldn't this open my server to all kinds of security issues, such as XSS?
If so, what would be the best way to handle this taking into account I would like to be able to display the content of the user given URL as well as possible (i.e. run all the safe scripts).
Upvotes: 0
Views: 119
Answers (2)
Reputation: 1814
The best way probably would be to display site in an iframe like that:
echo "<iframe src=\"$url\"></iframe>";
This way user loads the page directly from the url, without your server proxying it. However, since you're displaying information from another site, your site will always be vulnerable to XSS unless you remove scripts and HTML completely.
Upvotes: 1
Reputation: 193
Of course you are opened to xss exploits.
To prevent from XSS attacks, you just have to check and validate / escape properly all data, dont allow html or javascript code to be inserted from that url.
Use htmlspecialchars() to convert HTML characters into HTML entities. So characters like <> that mark the beginning/end of a tag are turned into html entities and you can use strip_tags() to only allow some tags as the function does not strip out harmful attributes like the onclick or onload.
Upvotes: 0
Related Questions
- Best method/practice to solve Cross Site Scripting (XSS) in php?
- How to prevent cross site scripting
- get a html element from another website (XSS)
- Cross Site Scripting Issue
- Crosssite Scripting issues
- Displaying XSS in the browser
- Display HTML from other site
- cross-site scripting (xss) attack
- Avoiding cross site scripting
- How to display content from one site on another using PHP?