问题
My site utilizes a WYSIWYG editor for users to update their accounts,enter comments, and send private messages.
The editor (CKEditor) is great for only allowing users to enter valid input, but I worry about injection through TamperData or other means.
How can I control this on the server side?
I need to whitelist specific tags: <b><ul><ol><a><img><br>, will this be a SAFE approach to preventing XSS?
回答1:
Use HTML Purifier:
HTML Purifier is a standards-compliant HTML filter library written in PHP. HTML Purifier will not only remove all malicious code (better known as XSS) with a thoroughly audited, secure yet permissive whitelist.
回答2:
strip_tags is going to be your friend. The second parameter lets you pass in an array of allowed tags strip_tags
来源:https://stackoverflow.com/questions/2992674/php-xss-prevention-whitelisting