100% safe way of storing html in MySQL [closed]

问题

As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.

Closed 7 years ago.

I'm working on a project where the public (so everyone) is allowed to insert HTML through TinyMCE for their own project page. Since everyone is allowed to use this feature, I need a 100% safe way of inserting the TinyMCE output into my database, and showing it on another page just as it was inserted by the user.

XSS, SQL injection and all that other crap is not what I want on my new website! I could do htmlentities -> htmlspecialchars and later on use htmlentities_decode, but is this 100% safe, and it is the best way of doing it?

回答1:

SQL injection is in most cases easily avoided with the use of prepared statements.

XSS is more difficult if you're planning to allow users to post HTML markup. You need to remove all <script> tags, all on* attributes from tags, all javascript: urls, and even then that's probably not fully guaranteed to make the input HTML safe. There are libraries such as HTMLPurifier that can help, but so long as you allow HTML, you're at risk of letting something malicious through.

You could use a library that implements something such as markdown or wikitext instead. This severely limits what users can enter, whilst still letting them mark the content up to an extent. It's not fullproof (people can still just post links to malicious sites and hope users click through to them,which some will be naive enough to actually do), and you'll not be able to use a rich editor such as TinyMCE without some sort of plugin, but it's a much simpler job to sanitize markdown than it is to sanitize HTML.

回答2:

It is not doable. You think to filter so that's a good point but in the end it won't be possible to lock it down totally if you accept html. Take a look at things like bbcode, markdown etc. to see some alternatives.

If you decide to accept HTML code it's not just filtering what needs to be done, even encodings can generate serious security issues. Search for UTF-7 for example to see what kind of issues. See some examples here: http://www.webappsec.org/projects/articles/091007.txt

回答3:

Storing and showing the HTML are two different things.

For storing the HTML in MySQL, mysql_real_escape_string() is enough, and will protect you from SQL injections.

For displaying, it depends. You want users to be able to write HTML, yet you want to be protected from XSS attacks and such, so you should use a filter like HTMLPurifier (this is what Stackoverflow does). You only need to do this once you retrieved the HTML from the database.

You never need to use htmlentities() or htmlentities_decode().

来源：https://stackoverflow.com/questions/11591757/100-safe-way-of-storing-html-in-mysql