Prevent Xss But Allow All Html Tags
I am building a blog and currently im finishing the admin panel. Since i will be mostly who will be managing it... i want to make sure that when i type
- test
Solution 1:
What you are looking for is an HTML sanitizer. These are very hard to write correctly, so you should look at an existing library. For PHP, have a look at HTML Purifier.
Proper XSS protection involves more than html sanitizing. The Open Web Application Security Project (OWASP) has put together a canonical guide to avoiding XSS attacks:
XSS (Cross Site Scripting) Prevention Cheat Sheet
Solution 2:
Check this url - http://refactormycode.com/codes/333-sanitize-html
There is another useful thread on the issue and how to handle this - What is the best way to store WMD input/markdown in SQL server and display later?
Solution 3:
The standard way to deal with XSS while allowing HTML is to:
- run the HTML through a (real) HTML parser
- delete any element or attribute that isn't on a whitelist (use a third party whitelist as a starting point, do research on any additional elements/attributes you add to make sure they don't have means to inject JS that you don't know about).
- sanity check any URIs
- generate clean HTML from the DOM
The specifics will depend on the language you are using.
Post a Comment for "Prevent Xss But Allow All Html Tags"