I am using HTMLPurifier for simple Tinymce WYSIWYG
. If I do not use htmlspecialchars
, will it be open for XSS attack
? I am doing this
$ detail = $ purifier-> pure ($ detail);
to purify the data for textarea
. If I use htmlspecialchars
, then it strips all the basic tags that are not user-friendly; a WYSIWYG
editor. But the problem is, it is & lt; Script & gt; Also in the tag
And if I type conf setting
to
$ config- & gt; Set ('ExtractStyleBlocks.1', true); This & lt;
and & gt; for
& lt; Script & gt; Tags
. & lt;
and & gt; for
& lt; Script & gt; Only
. But this & lt; P & gt; This paragraph is & lt; / P & gt;
, & lt; Strong> This text is bold & lt; / Strong>
and so on.It's & lt; P & gt; Please get rid of this problem.
Please help. Thanks for your time. >
Edit My HTML prooffinder is started here
$ config = HTMLPurifier_Config :: createDefault (); // $ config- & gt; Set ('extractstyleblock', is true); $ Config- & gt; Set ('HTML.ForbiddenElements', array ('script', 'style', 'applet')); $ Cleaner = New HTML Template ($ config);
Getting data from database
while (mysqli_stmt_fetch ($ stmt1)) {$ id = htmlspecialchars ($ id); $ Title = htmlspecialchars ($ title); $ Detail = $ purifier-> Pure ($ extension); $ Posts = "& Lt; div id = 'date_news' & gt; div id = 'news_holder $ id' class = 'news_holder' & gt; & lt; h3 id = 'show_title' & gt; Htmlspecialchars ($ title). "& Lt; / h3 & gt; $ Extension "& lt; / div & gt;"
$ detail
database
Previous> & lt; P & gt; & Lt; Strong & gt; Aloo Wazi & lt; / Strong> & Lt; / P & gt; & Lt; P & gt; Let me know and & the lift; Script & amp; Gt; Warning ("XSS") & amp; the lift; / Script & gt; & Lt; / P & gt;
The user screen
all the words
& Lt; Script & gt; Alert ("XSS") & lt; / Script & gt;
OK, after my comment, it attempts to add it to its HTML clean configuration Please, it should be enabled by default, but worth a shot.
$ config = HTMLPurifier_Config :: createDefault); $ Config- & gt; Set ('HTML.ForbiddenElements', array ('script', 'style', 'applet')); $ Cleaner = New HTML Template ($ config);
Edit
& lt; P & gt; Let me know and & Lip & amp; ;; Alert; ("XSS") & amp; Lt; / Script & amp; Gt; & Lt; / P & gt;
You already have & lt; Script & gt;
are saved from the tag so that there is nothing to parse HTML prooffire, as the result will be output on the page, but you have effectively disabled the XSS attempt.
Before saving in the database, your code is already avoiding HTML characters.
No comments:
Post a Comment