Geek Answers Handbook

Best way to protect simple wysiwyg with php

I added a simple wysiwyg editor on my website. (it allows only B / I / U - no more)
Currently, I save all the content as html in my database, but just add it <a onclick='...'> or other malicious code)

What is the best way to parse input correctly in PHP? How to implement <b></b> <i></i> etc. How to whitelist and encode everything else?

+7
source share
2 answers

HTMLPurifier

I'm just going to drop it there and probably get the inevitable mount. I would not use strip_tags to protect your WYSIWYG form ... ever (unless you want to make you angry).

It will not protect your form, and you may be killing your user interface.

Chris Shiftlett wrote a great paragraph on his blog

I hate commenting on blogs where my comment is passed through something like strip_tags (), effectively distorting what I'm trying to say. This reminds me of using an IM client that tries to identify emoticons and replace them with images, often making messages difficult to decrypt.

Another reason

Someone else in another answer also wrote this that I like:

  $str = "10 appels is <than 12 apples"; var_dump(strip_tags($str));

The output I get is:

 string '10 appels is ' (length=13)

I personally would not use anything other than HTMLPurifier

HTMLPurifier

HTMLPurifier

Try the demo here: http://htmlpurifier.org/demo.php

And look at this similar question

+12
source

Use strip_tags() . http://php.net/manual/en/function.strip-tags.php

string strip_tags (string $ str [, string $ allowable_tags])

The second parameter is a list of valid tags; just list '<b><i><u>' and the rest will be deleted.

Please note that as a reference to deceze:

This function does not change any tag attributes that you allow the use of allowable_tags, including the style and onmouseover attributes, which an attacker can abuse when publishing text that will be displayed to other users.

Thus, it does not provide full protection against malicious code in itself!

0
source

More articles:


All Articles