4

Ok, now I have a dilemma, I need to allow users to insert raw HTML but also block out all JS - not just script tags but from the href etc. at the moment, all I know of is

htmlspecialchars($string, ENT_QUOTES, 'UTF-8');

But this also converts valid tags into encoded characters. If I use striptags, it also doesn't work as it removes tags! (I know that you can allow tags but the thing is if I allow any tags such as <a></a> people can add malicious JS to it.

Is there anything I can do to allow html tags but without the XSS injection? I have planned a function: xss() and have setup my site's template with that. It returns the escaped string. (I just need help with escaping :))

Thanks!

user115422
  • 4,172
  • 8
  • 22
  • 36
  • 5
    This may be useful. http://shiflett.org/blog/2007/mar/allowing-html-and-preventing-xss – twodayslate Oct 17 '12 at 19:50
  • What does your application really do? Normally, the people use BBCode for text formatting, exactly because of this issue! – Sebastian Breit Oct 17 '12 at 19:56
  • 1
    Related: http://stackoverflow.com/questions/3847631/preventing-xss-but-still-allowing-some-html-in-php?rq=1 – twodayslate Oct 17 '12 at 19:58
  • @Perroloco well I am making a CMS but the problem is that when someone inserts SOURCE which happens sometimes - they can be doing so genuinely or because they want to hack the site. BBCode is not an option as I've already started the site and people have already posted things so changing between HTML and BBCode is not acceptable. Good suggestion though! – user115422 Oct 17 '12 at 19:58
  • @twodayslate umm... i guess that could help but I am pretty new with plugins, can you show me a sample of _how_ I would use htmlpurifier? I like the idea but I need it to work on the `xss()` function, I have written too much code to be able to do anything but edit what `xss()` does - its stored in a settings file. – user115422 Oct 17 '12 at 20:01
  • HtmlPurifier seems to be the fastest option! – Sebastian Breit Oct 17 '12 at 20:02

1 Answers1

3

Related: Preventing XSS but still allowing some HTML in PHP

Example code from HTMLPurifier Docs:

require_once '/path/to/HTMLPurifier.auto.php';

$config = HTMLPurifier_Config::createDefault();
$purifier = new HTMLPurifier($config);
$clean_html = $purifier->purify($dirty_html);

You can use that code as a reference in your xss(...) method.

Community
  • 1
  • 1
twodayslate
  • 2,702
  • 3
  • 24
  • 39
  • so wait, I just put that into the function and tell it to `return $clean_html` ? – user115422 Oct 17 '12 at 20:08
  • Yes. The setup should probably be done outside the method in a setup php file or config file so you can just use `return $purifier->purify($dirty_html);` with `$dirty_html` being an attribute of `xss(...)` – twodayslate Oct 17 '12 at 20:10
  • then i would have to make the variables global right? I mean: `global $config, $clean_html` right? – user115422 Oct 17 '12 at 20:13
  • http://stackoverflow.com/questions/1557787/are-global-variables-in-php-considered-bad-practice-if-so-why http://tjhunt.blogspot.com/2009/04/php-global-variables-are-not.html I said do the setup outside the `xss(...)` method just so you won't have duplicate data if `xss(...)` is ever run more than once per page load / server request. If `xss(...)` is only called once then you can throw the setup commands in the `xss(...)` function and it shouldn't effect performance. – twodayslate Oct 17 '12 at 20:14
  • wait so yes or no :) im a bit new to functions and stuff srry! – user115422 Oct 17 '12 at 20:22
  • 1
    For your purposes I assume putting everything in `xss(...)` will be fine. – twodayslate Oct 17 '12 at 20:24