Reputation: 5860
prevent xss but allow all html tags
I am building a blog and currently im finishing the admin panel.
Since i will be mostly who will be managing it... i want to make sure that when i type
<ul>
<li>test</li>
<li>test</li>
</ul>
will show me the unordered list but also prevent XSS tags just in case...
how could i do that?
could a solution be creating functions and replace the tags of ul, ol, img etc...?
Upvotes: 0
Views: 3828
Answers (3)
Reputation: 943142
The standard way to deal with XSS while allowing HTML is to:
- run the HTML through a (real) HTML parser
- delete any element or attribute that isn't on a whitelist (use a third party whitelist as a starting point, do research on any additional elements/attributes you add to make sure they don't have means to inject JS that you don't know about).
- sanity check any URIs
- generate clean HTML from the DOM
The specifics will depend on the language you are using.
Upvotes: 1
Reputation: 46633
What you are looking for is an HTML sanitizer. These are very hard to write correctly, so you should look at an existing library. For PHP, have a look at HTML Purifier.
Proper XSS protection involves more than html sanitizing. The Open Web Application Security Project (OWASP) has put together a canonical guide to avoiding XSS attacks:
XSS (Cross Site Scripting) Prevention Cheat Sheet
Upvotes: 3
Reputation: 27427
Check this url - http://refactormycode.com/codes/333-sanitize-html
There is another useful thread on the issue and how to handle this - What is the best way to store WMD input/markdown in SQL server and display later?
Upvotes: 1
Related Questions
- How can I prevent XSS with HTML/PHP?
- PHP Prevent xss
- Preventing XSS from within HTML elements
- Preventing XSS but still allowing some HTML in PHP
- How to xss clean except html tag
- Remove XSS attacks while still allowing html?
- How to allow certain html tags?
- How to allow some tags but block others for XSS
- Preventing XSS with PHP
- Prevent XSS but allow all characters?