问题
I'm using HTMLPurifier to check for XSS in an entire HTML document. The problem is that it appears to strip out anyything that isn’t inside <body> tags. But, I want to keep everything, just look out for serious XSS attacks.
Any ideas how to allow <HTML>, <HEAD>, <META> etc.?
回答1:
David, I just searched on the HTMLPurifier support forum and saw that you've been busy.
But perhaps you missed the posting from a few months ago that addresses your exact issue, specifically the reply:
Full document support will (ostensibly) come some time in the HTML Purifier 5.x series; we don't actually have the parsing code necessary to actually deal with full HTML documents.
Until then, you'll want to capture your head and DTD and re-add it to the purified doc.
回答2:
Remember that you can construct an XSS attack that runs from 'head'.
回答3:
You can tell HTML Purifier what tag the purified code will be inside (it defaults to 'div'). Setting this to 'span' would block all block-level tags. You could experiment with setting it to 'body', or even to 'html'.
来源:https://stackoverflow.com/questions/1509268/htmlpurifier-check-entire-html-document