Geek Answers Handbook

OMT disinfectant editor

I am trying to find ways to deactivate WMD input .

In particular, I am trying to make HTML tags available only in the tags <code>that WMD generates. Is it possible,

My problem is that the following code displays as HTML, which can be used for potential XSS attacks .

For instance, <a onmouseover="alert(1)" href="#">read this!</a>

The above code is usually displayed both in preview mode and when saving to the database.

I noticed that Stack Overflow doesn't seem to have this problem. The same code just displays as text.

I noticed that the Qaru team shared their code at http://refactormycode.com/codes/333-sanitize-html . Do I really need to use C # in order to sanitize WMD?

+5
source share
2 answers

I ended up using an HTML cleaner .

+3
source

If you want to block the wrong scripts from WMD on the client side, look at my answer here: Combine the WMD preview HTML code with the server side HTML check (for example, without built-in JavaScript code) .

, WMD, HTML- WMD HTML- HTML-. , HTML-, HTML- WMD, script , . StackOverflow.com .

, ( PHP, HTML Purifier - ), , , . , WMD , , . WMD- .

, , , HTML, , . . StackOverflow , .

+1

More articles:


All Articles