DHara: php - HTMLPurifier without htmlspecialchars -

Sunday 15 June 2014

php - HTMLPurifier without htmlspecialchars -

I am using HTMLPurifier for simple Tinymce WYSIWYG . If I do not use htmlspecialchars , will it be open for XSS attack ? I am doing this

  $ detail = $ purifier-> pure ($ detail);

to purify the data for textarea . If I use htmlspecialchars , then it strips all the basic tags that are not user-friendly; a WYSIWYG editor. But the problem is, it is & lt; Script & gt; Also in the tag

And if I type conf setting to

  $ config- & gt; Set ('ExtractStyleBlocks.1', true);    This  & lt;  and  & gt;  for  & lt; Script & gt; Tags .  & lt;  and  & gt;  for  & lt; Script & gt; Only . But this  & lt; P & gt; This paragraph is & lt; / P & gt; ,  & lt; Strong> This text is bold & lt; / Strong>  and so on.It's  & lt; P & gt;  
 Please get rid of this problem.  
 Please help. Thanks for your time. > 
  Edit   
 My HTML prooffinder is started here  
  $ config = HTMLPurifier_Config :: createDefault (); // $ config- & gt; Set ('extractstyleblock', is true); $ Config- & gt; Set ('HTML.ForbiddenElements', array ('script', 'style', 'applet')); $ Cleaner = New HTML Template ($ config);  
  Getting data from database 
   while (mysqli_stmt_fetch ($ stmt1)) {$ id = htmlspecialchars ($ id); $ Title = htmlspecialchars ($ title); $ Detail = $ purifier-> Pure ($ extension); $ Posts = "& Lt; div id = 'date_news' & gt; div id = 'news_holder $ id' class = 'news_holder' & gt; & lt; h3 id = 'show_title' & gt; Htmlspecialchars ($ title). "& Lt; / h3 & gt; $ Extension "& lt; / div & gt;"  
    $ detail   
   database  
 
 
 
 Previous>  & lt; P & gt; & Lt; Strong & gt; Aloo Wazi & lt; / Strong> & Lt; / P & gt; & Lt; P & gt; Let me know and & the lift; Script & amp; Gt; Warning ("XSS") & amp; the lift; / Script & gt; & Lt; / P & gt;

   The user screen  
   all the words  
  & Lt; Script & gt; Alert ("XSS")  & lt; / Script & gt;

  
  OK, after my comment, it attempts to add it to its HTML clean configuration Please, it should be enabled by default, but worth a shot. 
   $ config = HTMLPurifier_Config :: createDefault); $ Config- & gt; Set ('HTML.ForbiddenElements', array ('script', 'style', 'applet')); $ Cleaner = New HTML Template ($ config);  
   Edit  
   & lt; P & gt; Let me know and & Lip & amp; ;; Alert; ("XSS") & amp; Lt; / Script & amp; Gt; & Lt; / P & gt;  
  You already have  & lt; Script & gt;  are saved from the tag so that there is nothing to parse HTML prooffire, as the result will be output on the page, but you have effectively disabled the XSS attempt. 
  Before saving in the database, your code is already avoiding HTML characters.




Posted by



Unknown




at

03:22











Email ThisBlogThis!Share to TwitterShare to FacebookShare to Pinterest




No comments:







Post a Comment