15  

If you are using php, an excellent solution is to use HTMLPurifier. It has many options to filter out bad stuff, and as a side effect, guarantees well formed html output. I use it to view spam which can be a hostile environment.

如果你使用的是php,一个很好的解决方案就是使用HTMLPurifier。它有很多选项可以过滤掉不好的东西,作为副作用,可以保证形成良好的html输出。我用它来查看可能是恶劣环境的垃圾邮件。

11  

It doesn't really matter what you're looking to remove, someone will always find a way to get around it. As a reference take a look at this XSS Cheat Sheet.

你要删除的内容并不重要,有人会总能找到解决问题的方法。作为参考,请看一下这个XSS备忘单。

As an example, how are you ever going to remove this valid XSS attack:

例如,您将如何删除此有效的XSS攻击:

<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>

Your best option is only allow a subset of acceptable tags and remove anything else. This practice is know as White Listing and is the best method for preventing XSS (besides disallowing HTML.)

您最好的选择是只允许可接受标签的子集并删除其他任何内容。这种做法被称为白名单,是防止XSS的最佳方法(除了不允许使用HTML)。

Also use the cheat sheet in your testing; fire as much as you can at your website and try to find some ways to perform XSS.

在测试中也使用备忘单;在您的网站上尽可能多地开火,并尝试找到一些方法来执行XSS。

6  

The general best strategy here is to whitelist specific tags and attributes that you deem safe, and escape/remove everything else. For example, a sensible whitelist might be <p>, <ul>, <ol>, <li>, <strong>, <em>, <pre>, <code>, <blockquote>, <cite>. Alternatively, consider human-friendly markup like Textile or Markdown that can be easily converted into safe HTML.

这里的一般最佳策略是将您认为安全的特定标签和属性列入白名单,并转义/删除其他所有内容。例如,合理的白名单可能是

,

,

,
1. ,,,

   ,,
          
          
   
            , 
           。或者,考虑像Textile或Markdown这样的人性化标记,可以轻松转换为安全的HTML。
    
          

,,, ,,,。或者,考虑像Textile或Markdown这样的人性化标记,可以轻松转换为安全的HTML。

2  

Rather than allow HTML, you should have some other markup that can be converted to HTML. Trying to strip out rogue HTML from user input is nearly impossible, for example

您应该拥有一些可以转换为HTML的其他标记,而不是允许HTML。例如,试图从用户输入中删除流氓HTML几乎是不可能的

<scr<script>ipt etc="...">

Removing from this will leave

从中删除将离开

<script etc="...">

2  

For a C# example of white list approach, which * uses, you can look at this page.

对于*使用的白名单方法的C#示例,您可以查看此页面。

1  

Kohana's security helper is pretty good. From what I remember, it was taken from a different project.

Kohana的安全助手非常好。从我记忆中,它来自一个不同的项目。

However I tested out

但是我测试了

<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>

From LFSR Consulting's answer, and it escaped it correctly.

来自LFSR Consulting的答案,它正确地逃脱了。

0  

If it is too difficult removing the tags you could reject the whole html-data until the user enters a valid one. I would reject html if it contains the following tags:

如果删除标签太困难,您可以拒绝整个html数据,直到用户输入有效的数据。如果它包含以下标记,我会拒绝html:

frameset,frame,iframe,script,object,embed,applet.

Also tags which you want to disallow are: head (and sub-tags),body,html because you want to provide them by yourself and you do not want the user to manipulate your metadata.

您还想要禁用的标签是:head(和子标签),body,html,因为您希望自己提供这些标签,并且您不希望用户操纵您的元数据。

But generally speaking, allowing the user to provide his own html code always imposes some security issues.

但一般来说,允许用户提供自己的HTML代码总是会带来一些安全问题。

0  

You might want to consider, rather than allowing HTML at all, implementing some standin for HTML like BBCode or Markdown.

你可能想要考虑,而不是允许HTML,实现像BBCode或Markdown这样的HTML。

0  

I use this php strip_tags function because i want user can post safely and i allow just few tags which can be used in post in this way nobody can hack your website through script injection so i think strip_tags is best option

我使用这个php strip_tags函数,因为我希望用户可以安全发布,我允许只有几个标签可以在帖子中使用这种方式没有人可以通过脚本注入破解你的网站所以我认为strip_tags是最好的选择

Clich here for code for this php function

在这里陈词滥调这个PHP函数的代码

-1  

It is very good function in php you can use it

它是非常好的功能在PHP你可以使用它

$string = strip_tags($_POST['comment'], "<b>");