1. 技术文章
  2. HTMLPurifier without htmlspecialchars

HTMLPurifier without htmlspecialchars

|▌冷眼眸甩不掉的悲伤 提交于 2019-12-13 00:29:59

问题


I am using HTMLPurifier for simple Tinymce WYSIWYG.If I don't use htmlspecialchars,would it be open to XSS Attack?This is what I'm doing

$detail = $purifier->purify($detail);

to purify data for that textarea.If I use htmlspecialchars,it strips all basic tags as well which is not user friendly for an WYSIWYG editor.But the problem is,this allows <script> tag as well.

And if I change conf setting to 

$config->set('ExtractStyleBlocks.1', true);

It doesn't allow < and > for <script> tag.Convert < and > for <script> only.But it shows <p>This is paragraph</p> ,<strong>This text is bold</strong> and so on.It shouldn't show <p> and other simple tags to user,but only the text.

How can I get rid of this problem.

Please help.Thanks for your time.

Edit

Here is my HTMLPurifier initialization 

$config = HTMLPurifier_Config::createDefault();
//$config->set('ExtractStyleBlocks', true);
$config->set('HTML.ForbiddenElements', array('script','style','applet'));
$purifier = new HTMLPurifier($config);

getting data from database

while(mysqli_stmt_fetch($stmt1)){
  $id=htmlspecialchars($id);
  $title=htmlspecialchars($title);
  $detail = $purifier->purify($detail);

 $posts.="<div id='date_news'><div id='news_holder$id' class='news_holder'><h3 id='show_title'>".htmlspecialchars($title)."</h3>".$detail."</div>";

HTML for $detail

At Database

<p><strong>Alu Vazi</strong></p>
<p>I love alu vazi with&lt;script&gt;alert("XSS")&lt;/script&gt;</p>

User screen

Alu Vazi

I love alu vazi with<script>alert("XSS")</script>


回答1:


OK, following my comment try adding this to your HTML Purifier config, it should be enabled by default, but worth a shot.

$config = HTMLPurifier_Config::createDefault();
$config->set('HTML.ForbiddenElements', array('script','style','applet'));
$purifier = new HTMLPurifier($config);

Edit

<p>I love alu vazi with&lt;script&gt;alert("XSS")&lt;/script&gt;</p>

You've already escaped the <script> tag here so HTML Purifier has nothing to parse. It will be output on the page as a result but you have effectively neutralised the XSS attempt.

In your code something is already escaping HTML characters before saving to the database.



来源:https://stackoverflow.com/questions/29104203/htmlpurifier-without-htmlspecialchars

标签
php
htmlspecialchars
htmlpurifier
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!