Reputation: 2194
PHP XSS Prevention WhiteListing
My site utilizes a WYSIWYG editor for users to update their accounts,enter comments, and send private messages.
The editor (CKEditor) is great for only allowing users to enter valid input, but I worry about injection through TamperData or other means.
How can I control this on the server side?
I need to whitelist specific tags: <b><ul><ol><a><img><br>, will this be a SAFE approach to preventing XSS?
Upvotes: 2
Views: 1880
Answers (2)
Reputation: 382716
Use HTML Purifier:
HTML Purifier is a standards-compliant HTML filter library written in PHP. HTML Purifier will not only remove all malicious code (better known as XSS) with a thoroughly audited, secure yet permissive whitelist.
Upvotes: 7
Reputation: 2472
strip_tags is going to be your friend. The second parameter lets you pass in an array of allowed tags strip_tags
Upvotes: 0
Related Questions
- PHP Prevent xss
- best way to secure simple wysiwyg with php
- Strict HTML Validation and Filtering in PHP
- XSS blacklist in php
- Preventing XSS but still allowing some HTML in PHP
- Protect WYSIWYG input from XSS attacks in PHP?
- Detecting and preventing XSS, but allowing the html formatting
- Preventing XSS with PHP
- Allow users to post BBCode or HTML with WYSIWYG?
- Prevent XSS but allow all characters?