6:[["$","$Le",null,{}],["$","div",null,{"className":"min-h-screen bg-gray-100 p-6","children":[["$","$Lf",null,{}],["$","script",null,{"type":"application/ld+json","dangerouslySetInnerHTML":{"__html":"{\"@context\":\"https://schema.org\",\"@type\":\"QAPage\",\"mainEntity\":{\"@type\":\"Question\",\"name\":\"Preventing XSS but still allowing some HTML in PHP\",\"text\":\"

I want to block XSS attacks but I still want to allow HTML tags like <img><a> and YouTube video players. I don't want to be open for XSS attacks tho. I am using PHP.

\\n\",\"author\":{\"@type\":\"Person\",\"name\":\"Keverw\"},\"upvoteCount\":1,\"answerCount\":2,\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"

I recommend using htmlpurifier, it is the most secure tool to filter html.

\\n\\n

I suggest you also to read this great analysis of HTML sanistisation tools for php.

\\n\",\"author\":{\"@type\":\"Person\",\"name\":\"Nicolò Martini\"},\"upvoteCount\":3}}}"}}],["$","div",null,{"className":"bg-white shadow-md rounded-lg p-6 mb-6 relative","children":[["$","div",null,{"className":"absolute top-4 right-4 flex flex-wrap space-x-2","children":[["$","span","php",{"className":"bg-blue-600 text-white text-sm px-3 py-1 rounded-full","children":["$","$L10",null,{"href":"/discussion/tag/php/1","children":"php"}]}],["$","span","xss",{"className":"bg-blue-600 text-white text-sm px-3 py-1 rounded-full","children":["$","$L10",null,{"href":"/discussion/tag/xss/1","children":"xss"}]}]]}],["$","div",null,{"className":"flex items-center mb-4","children":[["$","img",null,{"src":"https://www.gravatar.com/avatar/1ad93f5c83d19d99d4046222ea5633cb?s=256&d=identicon&r=PG","alt":"Keverw","className":"w-16 h-16 rounded-full border"}],["$","div",null,{"className":"ml-4","children":[["$","a",null,{"href":"https://stackoverflow.com/users/458642/keverw","target":"_blank","rel":"noopener noreferrer","className":"text-lg font-semibold text-blue-600 hover:underline","children":"Keverw"}],["$","p",null,{"className":"text-sm text-gray-500","children":["Reputation: ",3786]}]]}]]}],["$","h1",null,{"className":"text-2xl font-bold text-gray-800 mb-4","children":"Preventing XSS but still allowing some HTML in PHP"}],["$","p",null,{"className":"text-gray-700 mt-4","dangerouslySetInnerHTML":{"__html":"

I want to block XSS attacks but I still want to allow HTML tags like <img><a> and YouTube video players. I don't want to be open for XSS attacks tho. I am using PHP.

\n"}}],["$","div",null,{"className":"text-gray-600 text-sm mt-4","children":[["$","p",null,{"children":["Upvotes: ",1]}],["$","p",null,{"children":["Views: ",532]}]]}]]}],["$","div",null,{"className":"container mx-auto","children":[["$","h2",null,{"className":"text-2xl font-semibold text-gray-800 mb-6","children":["Answers (",2,")"]}],[["$","div","3847651",{"className":"bg-white shadow-md rounded-lg p-6 mb-6","children":[["$","div",null,{"className":"flex items-center mb-4","children":[["$","img",null,{"src":"https://i.sstatic.net/SVrTp.jpg?s=256","alt":"Nicolò Martini","className":"w-12 h-12 rounded-full border"}],["$","div",null,{"className":"ml-4","children":[["$","a",null,{"href":"https://stackoverflow.com/users/162087/nicol%c3%b2-martini","target":"_blank","rel":"noopener noreferrer","className":"text-lg font-semibold text-blue-600 hover:underline","children":"Nicolò Martini"}],["$","p",null,{"className":"text-sm text-gray-500","children":["Reputation: ",5220]}]]}]]}],["$","p",null,{"className":"text-gray-700 mb-4","dangerouslySetInnerHTML":{"__html":"

I recommend using htmlpurifier, it is the most secure tool to filter html.

\n\n

I suggest you also to read this great analysis of HTML sanistisation tools for php.

\n"}}],["$","div",null,{"className":"text-gray-600 text-sm","children":["$","p",null,{"children":["Upvotes: ",3]}]}]]}],["$","div","3847636",{"className":"bg-white shadow-md rounded-lg p-6 mb-6","children":[["$","div",null,{"className":"flex items-center mb-4","children":[["$","img",null,{"src":"https://www.gravatar.com/avatar/23b65f8bdcfb8b83ed4de9e2c66e117f?s=256&d=identicon&r=PG","alt":"Thomas O","className":"w-12 h-12 rounded-full border"}],["$","div",null,{"className":"ml-4","children":[["$","a",null,{"href":"https://stackoverflow.com/users/313032/thomas-o","target":"_blank","rel":"noopener noreferrer","className":"text-lg font-semibold text-blue-600 hover:underline","children":"Thomas O"}],["$","p",null,{"className":"text-sm text-gray-500","children":["Reputation: ",6220]}]]}]]}],["$","p",null,{"className":"text-gray-700 mb-4","dangerouslySetInnerHTML":{"__html":"

strip_tags($string, \"<b> <u> <i> <img> <a>\");\n

\n\n

This will not prevent someone from using onmouseover etc. though - you have to strip out Javascript.

\n"}}],["$","div",null,{"className":"text-gray-600 text-sm","children":["$","p",null,{"children":["Upvotes: ",1]}]}]]}]]]}],["$","div",null,{"className":"bg-white shadow-md rounded-lg p-6 mt-6","children":[["$","h2",null,{"className":"text-2xl font-semibold text-gray-800 mb-4","children":"Related Questions"}],["$","ul",null,{"className":"list-disc list-inside","children":[["$","li","1996122",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/1996122","className":"text-blue-600 hover:underline","children":"How can I prevent XSS with HTML/PHP?"}]}],["$","li","5132019",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/5132019","className":"text-blue-600 hover:underline","children":"PHP Prevent xss"}]}],["$","li","16125244",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/16125244","className":"text-blue-600 hover:underline","children":"Preventing XSS from within HTML elements"}]}],["$","li","17207750",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/17207750","className":"text-blue-600 hover:underline","children":"How to output HTML but prevent XSS attacks"}]}],["$","li","16417873",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/16417873","className":"text-blue-600 hover:underline","children":"How to avoid XSS and CSS but allow users to use some HTML tags?"}]}],["$","li","12942225",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/12942225","className":"text-blue-600 hover:underline","children":"Remove XSS attacks while still allowing html?"}]}],["$","li","9826970",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/9826970","className":"text-blue-600 hover:underline","children":"prevent xss but allow all html tags"}]}],["$","li","5925637",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/5925637","className":"text-blue-600 hover:underline","children":"How to allow some tags but block others for XSS"}]}],["$","li","5255343",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/5255343","className":"text-blue-600 hover:underline","children":"Preventing XSS with PHP"}]}],["$","li","3050088",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/3050088","className":"text-blue-600 hover:underline","children":"Prevent XSS but allow all characters?"}]}]]}]]}]]}],["$","$L11",null,{}],["$","$L12",null,{}],["$","$L13",null,{}],["$","$L14",null,{}],["$","$L15",null,{}]]

Preventing XSS but still allowing some HTML in PHP

Answers (2)

Related Questions