Reputation: 1698
HTML Purifier - How to know if a XSS injection was found?
I'm using HTML Purifier to remove all malicious code from user input. I want to send an alert email when a XSS code is detected (and removed) by HTML Purifier.
The purify() method returns purified HTML. I can't compare the input HTML with the purified HTML to detect changes because HTML Purifier ensures standards-compliant output by transforming HTML.
Is it possible?
Thanks for your help!
Upvotes: 2
Views: 243
Answers (2)
Reputation: 402
There is a config setting that is maybe helpful in tracking the changes made by Purifier:
http://htmlpurifier.org/live/configdoc/plain.html#Core.CollectErrors
It says:
Whether or not to collect errors found while filtering the document. This is a useful way to give feedback to your users.
But also (and this is the tricky part):
Warning: Currently this feature is very patchy and experimental, with lots of possible error messages not yet implemented. It will not cause any problems, but it may not help your users either.
So I am not sure if this could be enough to know what errors (say XSS injection) are encountered by the Purifier.
Upvotes: 0
Related Questions
- What is the correct way to detect whether string inputs contain HTML or not?
- XSS vulnerabilities still exist even after using HTML Purifier
- HTML Purifier - what to purify?
- What is the simplest check possible for an HTML/JS injection attack?
- Using HTML Purifier on a site with only plain text input
- Sanitize everything to text with htmlpurifier
- Detecting and preventing XSS, but allowing the html formatting
- Understanding HTML Purifier
- Detecting HTML Code Injection
- HTMLPurifier Not working?