WYSIWYG textarea component security
https://stackoverflow.com/questions/459408
-
19-08-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
Really my question has more to do with the server-side scrubbing of html that's accepted via the WYSIWYG form component. Right now I'm leaning toward using htmlpurifier.org's library. I'm using php strip_tags() function elsewhere. Anyone have an advice/preferences/recommendations?
Solution
strip_tags is very vulnerable - you might as well do nothing. HtmlPurifier is probably as good as it gets with html-cleansing. If you are really serious about security, you should probably disallow html input entirely, but I realise that's not always an option.
OTHER TIPS
Don't forget to scrub out the on* attributes like <p onclick="alert('hi!');">.
This can cause some trouble.
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
