阻止 xss 但允许所有 html 标签

2022-01-18 00:00:00 tags php html xss

我正在建立一个博客,目前正在完成管理面板.

I am building a blog and currently im finishing the admin panel.

因为我将主要是管理它的人......我想确保在我输入时

Since i will be mostly who will be managing it... i want to make sure that when i type

<ul>
   <li>test</li>
   <li>test</li>
</ul>

会显示无序列表,但也会阻止 XSS 标签以防万一...

will show me the unordered list but also prevent XSS tags just in case...

我该怎么做?

是否可以创建函数并替换 ulolimg 等标签...?

could a solution be creating functions and replace the tags of ul, ol, img etc...?

推荐答案

您正在寻找的是 HTML sanitizer.这些很难正确编写,因此您应该查看现有的库.对于 PHP,请查看 HTML Purifier.

What you are looking for is an HTML sanitizer. These are very hard to write correctly, so you should look at an existing library. For PHP, have a look at HTML Purifier.

适当的 XSS 保护不仅仅涉及 html 清理.开放 Web 应用程序安全项目 (OWASP) 制定了避免 XSS 攻击的规范指南:

Proper XSS protection involves more than html sanitizing. The Open Web Application Security Project (OWASP) has put together a canonical guide to avoiding XSS attacks:

XSS(跨站点脚本)预防备忘单

相关文章