How do you prevent malicious input in WYSIWYG editors like TinyMCE?
你如何防止像TinyMCE这样的所见即所得编辑中的恶意输入?
I have a system with users who are not "tech savvy" (so no WMD) and need a rich text editor that posts its content into a database.
我有一个系统,用户不是“精通技术”(因此没有WMD),需要一个富文本编辑器将其内容发布到数据库中。
I'm worried about scripting attacks and malicious input code.
我担心脚本攻击和恶意输入代码。
3 个解决方案
#1
14
If you only want safe html then you should use the HTML Purifier. If you want to protect against XSS and block all html then you should use $var=htmlspcialchars($var,ENT_QUOTES);
如果您只想要安全的HTML,那么您应该使用HTML Purifier。如果你想要防止XSS并阻止所有html,那么你应该使用$ var = htmlspcialchars($ var,ENT_QUOTES);
#2
0
You can't prevent that input from the client side. You can add things to get in the way (or try), but it will always be trivial to submit malicious code. You NEED to sanitize in PHP.
您无法阻止来自客户端的输入。您可以添加一些东西以阻止(或尝试),但提交恶意代码总是微不足道的。你需要在PHP中进行消毒。
ALWAYS ALWAYS ALWAYS escape user submitted content before displaying it (htmlentities will usually take care of that for you).
在显示之前,始终总是要逃避用户提交的内容(htmlentities通常会为您处理)。
If you want the ability to have HTML submitted (as you say you want WYSIWYG), then you'll need to white-list sanitize the HTML that was submitted. When I say white-list, I mean both tag name and attribute.
如果您希望能够提交HTML(正如您所说的所见即所得),那么您需要使用白名单清理已提交的HTML。当我说白名单时,我指的是标签名称和属性。
I'm not that familiar with CodeIgniter, but I did find this which looks like it may do what you want...
我对CodeIgniter并不熟悉,但我确实发现它看起来像你想要的那样......
#1
14
If you only want safe html then you should use the HTML Purifier. If you want to protect against XSS and block all html then you should use $var=htmlspcialchars($var,ENT_QUOTES);
如果您只想要安全的HTML,那么您应该使用HTML Purifier。如果你想要防止XSS并阻止所有html,那么你应该使用$ var = htmlspcialchars($ var,ENT_QUOTES);
#2
0
You can't prevent that input from the client side. You can add things to get in the way (or try), but it will always be trivial to submit malicious code. You NEED to sanitize in PHP.
您无法阻止来自客户端的输入。您可以添加一些东西以阻止(或尝试),但提交恶意代码总是微不足道的。你需要在PHP中进行消毒。
ALWAYS ALWAYS ALWAYS escape user submitted content before displaying it (htmlentities will usually take care of that for you).
在显示之前,始终总是要逃避用户提交的内容(htmlentities通常会为您处理)。
If you want the ability to have HTML submitted (as you say you want WYSIWYG), then you'll need to white-list sanitize the HTML that was submitted. When I say white-list, I mean both tag name and attribute.
如果您希望能够提交HTML(正如您所说的所见即所得),那么您需要使用白名单清理已提交的HTML。当我说白名单时,我指的是标签名称和属性。
I'm not that familiar with CodeIgniter, but I did find this which looks like it may do what you want...
我对CodeIgniter并不熟悉,但我确实发现它看起来像你想要的那样......