阻止 xss 但允许所有 html 标签

prevent xss but allow all html tags(阻止 xss 但允许所有 html 标签)
本文介绍了阻止 xss 但允许所有 html 标签的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我正在建立一个博客,目前正在完成管理面板.

I am building a blog and currently im finishing the admin panel.

因为我将主要是管理它的人......我想确保在我输入时

Since i will be mostly who will be managing it... i want to make sure that when i type

<ul>
   <li>test</li>
   <li>test</li>
</ul>

会显示无序列表,但也会阻止 XSS 标签以防万一...

will show me the unordered list but also prevent XSS tags just in case...

我该怎么做?

是否可以创建函数并替换 ulolimg 等标签...?

could a solution be creating functions and replace the tags of ul, ol, img etc...?

推荐答案

您正在寻找的是 HTML sanitizer.这些很难正确编写,因此您应该查看现有的库.对于 PHP,请查看 HTML Purifier.

What you are looking for is an HTML sanitizer. These are very hard to write correctly, so you should look at an existing library. For PHP, have a look at HTML Purifier.

适当的 XSS 保护不仅仅涉及 html 清理.开放 Web 应用程序安全项目 (OWASP) 制定了避免 XSS 攻击的规范指南:

Proper XSS protection involves more than html sanitizing. The Open Web Application Security Project (OWASP) has put together a canonical guide to avoiding XSS attacks:

XSS(跨站点脚本)预防备忘单

这篇关于阻止 xss 但允许所有 html 标签的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持编程学习网!

本站部分内容来源互联网,如果有图片或者内容侵犯您的权益请联系我们删除!

相关文档推荐

Convert JSON integers and floats to strings(将JSON整数和浮点数转换为字符串)
in php how do I use preg replace to turn a url into a tinyurl(在php中,如何使用preg替换将URL转换为TinyURL)
all day appointment for ics calendar file wont work(ICS日历文件的全天约会不起作用)
trim function is giving unexpected values php(Trim函数提供了意外的值php)
Basic PDO connection to MySQL(到MySQL的基本PDO连接)
PHP number_format returns 1.00(Php number_Format返回1.00)