问题
I am using http://ckeditor.com/ in a small PHP/MySQL forum I built. My questions:
Is it safe to save user-created HTML like this in the database and then re-display it in my application? What precautions should I take to keep the users of my forum safe from script injection and the like?
<p>test</p> <span style="font-size: 14px;">test</span>Would it be safer to use BBCode instead of HTML? I tried the ckeditor bbcode plugin but it lacks some basic formatting like text alignment ... Does anyone know how to extend the plugin to add text alignment to it?
回答1:
For your first question, there are two main things you need to do:
Safely save the user content to your database so that you are not vulnerable to a SQL injection attack. See this SO question for how best to handle that => Best way to stop SQL Injection in PHP.
Prevent someone from submitting unsafe HTML to your database that would then be re-displayed to your users and make them vulnerable to an XSS attack. There are plenty of questions that deal with that here on SO. Here's one => XSS Prevention in PHP.
来源:https://stackoverflow.com/questions/7225210/ckeditor-security-best-practices