Reputation: 33
How to allow some tags but block others for XSS
I want to allow some tags like <p> <ul> <li> <b> <strong> I have a specific list. But I also want to protect from XSS attacks so I need to use escaping. How can I do it so that I allow those specific tags, but escape everything else?
Upvotes: 2
Views: 232
Answers (2)
Reputation: 145512
Most frequently recommended is HTMLPurifier, because that contains heaps of workarounds to prevent all kinds of XSS abuse. It filters out tags and attributes that other solutions might miss. It's a bit of configuration work, and maybe overkill in some settings. But it's certainly the safest approach.
You can configure an allowed list with it, but you could as well still apply the strip_tags() method by @yc. But not alone by itself! Only in conjunction with HTMLPurifier!
Upvotes: 2
Reputation: 6798
There's a function in Drupal called filter_xss that you can use as a (fantastic) example if you want something sophisticated. Otherwise just use the strip_tags function.
Upvotes: 0
Related Questions
- Preventing XSS from within HTML elements
- Preventing XSS but still allowing some HTML in PHP
- How to avoid XSS and CSS but allow users to use some HTML tags?
- How to filter XSS out but still allow basic formatting tags
- Remove XSS attacks while still allowing html?
- prevent xss but allow all html tags
- How to allow certain html tags?
- What is the best way to both secure input and allow some html tags?
- Preventing XSS with PHP
- Prevent XSS but allow all characters?