Reputation: 73
how to protect from XSS in WYSIWYG
i store user input from WYSIWYG to SQL database,
I need to protect from XSS attack and found solution
Since am using WYSIWYG and found this solution
My problem is which is best way to protect from XSS do i need to use HTML Purifier
or i can use this simple method;
echo htmlspecialchars($string, ENT_QUOTES, 'UTF-8');
Upvotes: 1
Views: 466
Answers (1)
Reputation: 6179
The best method depends on your use-case. If you use htmlspecialchars(), then if your user enters bold text in the WYSIWYG, it will show up on your page either as <b>bold text</b> or <strong>bold text</strong>. That's probably not what you want.
If you actually want to output the formatted text from your WYSIWYG, you need to sanitise the HTML input. HTML Purifier is one good option for that, and quite easy to set up.
In short: It depends on if you actually want to output formatted text or not. If you don't, htmlspecialchars() is easier and consumes less resources. Since you're letting users use a WYSIWYG, I assume you do, though, and in that case htmlspecialchars() will ruin what you're even trying to achieve.
Upvotes: 1
Related Questions
- How to prevent XSS attacks when I need to render HTML from a WYSIWYG editor?
- How to properly escape HTML editor content corretly?
- How in Django/Python can I ensure safety from WYSIWYG-entered HTML?
- Protect WYSIWYG input from XSS attacks in PHP?
- Securing a wysiwyg editor - is HTMLPurifier really the only way to go?
- sanitize HTML style tag in java to prevent javascript injection from WYSIWYG
- xss prevention with ckeditor
- frameworks to protect xss
- How to prevent malformed tags for XSS
- Any WYSIWYG Editor with XSS attack prevention?