WYSIWYG textarea component security
-
19-08-2019 - |
Question
Really my question has more to do with the server-side scrubbing of html that's accepted via the WYSIWYG form component. Right now I'm leaning toward using htmlpurifier.org's library. I'm using php strip_tags() function elsewhere. Anyone have an advice/preferences/recommendations?
Solution
strip_tags
is very vulnerable - you might as well do nothing. HtmlPurifier is probably as good as it gets with html-cleansing. If you are really serious about security, you should probably disallow html input entirely, but I realise that's not always an option.
OTHER TIPS
Don't forget to scrub out the on*
attributes like <p onclick="alert('hi!');">
.
This can cause some trouble.
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow