sanitization

I'm having an issue with using the HTMLPurifier php library. I'm using a WYSIWYG editor named 'Summernote' for all text areas on my application. When writing something inside sommernote like: <script>alert('test');</script> The post data comes through as <p><script>alert('test');</script></p> However, once this is ran through the HTMLPurifier, it doesn't remove the script tags that are converted into regular characters. So when I go to edit this text inside summernote, it actually runs the script! Here's an image of what is processed into the editor: And here is how it's stored inside the

I know there is a lot of discussion for years on best methods of filtering data with PHP but I would like to go the whitelist approach in my current project. I only want a user to be able to use the following HTML <b>bold</b> <i>italics</i> <u>underline</u> <s>strikethrough</s> <big>Big size</big > <small>Small size</small> Hyperlink <a href="http://www.site.com">website</a> A Bulleted List: <ul> <li>One Item</li> <li>Another Item</li> </ul> An Ordered List: <ol> <li> First Item</li> <li> Second Item</li> </ol> <blockquote>Because it is indented</blockquote> <h1>Heading 1</h1> <h2>Heading 2<

I'm building a daemon that will help me manage my server(s). Webmin works fine, as does just opening a shell to the server, but I'd prefer to be able to control server operations from a UI I design, and also expose some functionality to end users. The daemon will pick up actions from a queue and execute them. However, since I'll be accepting input from users, I want to make sure they're not permitted to inject something dangerous into a privileged shell command. Here's a fragment that exemplifies my problem: def perform system "usermod -p #{@options['shadow']} #{@options['username']}" end A

I want to allow users to use their own stylesheets for thei profiles on my forum, but I'm afraid of possible security vulnerabilities. Does anyone have any tips for sanitizing CSS? Basic process: User enters CSS into form -> Save to DB -> Output as inline CSS HTMLPurifier with CSSTidy does what you're looking for. HTMLPurifier is primarily designed for sanitizing HTML, but also has an option to extract style blocks with CSSTidy. There's an example in the HTMLPurifier docs (but alas, I've used up my two links per post.) Here's another: require_once './htmlpurifier/library/HTMLPurifier.auto.php'

I'm looking for class/util etc. to sanitize HTML code i.e. remove dangerous tags, attributes and values to avoid XSS and similar attacks. I get html code from rich text editor (e.g. TinyMCE) but it can be send malicious way around, ommiting TinyMCE validation ("Data submitted form off-site"). Is there anything as simple to use as InputFilter in PHP? Perfect solution I can imagine works like that (assume sanitizer is encapsulated in HtmlSanitizer class): String unsanitized = "...<...>..."; // some potentially // dangerous html here on input HtmlSanitizer sat = new HtmlSanitizer(); // sanitizer

I've read a lot about this and know there are many related questions on here, but I couldn't find a definitive guide for how to go about sanitizing everything. One option is to sanitize on insert, for example I have the following in my model before_validation :sanitize_content, :on => :create def sanitize_content self.content = ActionController::Base.helpers.sanitize(self.content) end Do I need to run this on every field in every model? I'm guessing the :on => :create should be removed too so it runs when updates too? The other option is to sanitize when data is displayed in views, using

I'm trying to convert newline characters ( \n ) to html br 's. As per this discussion in the Google Group , here's what I've got: myApp.filter('newlines', function () { return function(text) { return text.replace(/\n/g, '<br/>'); } }); The discussion there also advises to use the following in the view: {{ dataFromModel | newline | html }} This seems to be using the old html filter, whereas now we're supposed to use the ng-bind-html attribute. Regardless, this poses a problem: I don't want any HTML from the original string ( dataFromModel ) to be rendered as HTML; only the br 's. For example,

I'm looking for a simple PHP library that helps filter XSS vulnerabilities in PHP Markdown output. I.E. PHP Markdown will parse things such as: [XSS Vulnerability](javascript:alert('xss')) I've been doing some reading around and the best I've found on the subject here was this question. Although HTML Purifier looks like the best ( nearly only ) solution I was wondering if there was anything out there more general? HTML Purifier seems to be a bit robust especially for my needs, as well as a pain to configure, though it looks like it'd work excellent after doing so. Is there anything else out