How to prevent XSS (Cross Site Scripting) whilst allowing HTML input

前端未结

关注

 5  1768

梦如初夏 2020-12-06 11:23

I have a website that allows to enter HTML through a TinyMCE rich editor control. It\'s purpose is to allow users to format text using HTML.

This user entered conten

5条回答

死守一世寂寞 (楼主)

2020-12-06 11:46

Peter, I'd like to introduce you to two concepts in security;

Blacklisting - Disallow things you know are bad.

Whitelisting - Allow things you know are good.

While both have their uses, blacklisting is insecure by design.

What you are asking, is in fact blacklisting. If there had to be an alternative to