Use PHP to control user inputted Javascript / HTML / textarea and prevent iframe hack
https://stackoverflow.com/questions/10990929
-
13-06-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I have developed a site that allows the users to embed widgets into their profile.
These widgets allow html and support anything from youtube embed codes (iframe) to Google Analytics code (JavaScript).
I have recently learned about hackers using iframes and JavaScript to exploit site logins and ftp access.
Is there some sort of php solution that I can integrate into my site to avoid these types of hacks while still allowing users to embed HTML widgets into their profile?
Solution
No.
There is no way that you can mechanically distinguish between all "good" JavaScript (e.g, Google Analytics) and "bad" JavaScript. (Without either whitelisting scripts that you approve of, which will inevitably not allow everything that users want, or blacklisting scripts that are inappropriate, which will inevitably be a game of whack-a-mole.)
You will need to stop allowing users to inject arbitrary HTML into your site.
