If the html tag is filtered to prevent xss injection, the function of the rich text editor will be gone and it will be filtered together. If the html is retained, it will not prevent xss injection.
How to deal with this problem normally? ? ? Filter only specific tags? ? ?
If the html tag is filtered to prevent xss injection, the function of the rich text editor will be gone and it will be filtered together. If the html is retained, it cannot prevent xss injection.
How do you normally deal with this problem? ? ? Filter only specific tags? ? ?
HTML Purifier is an HTML filter written in PHP, which can be used with a WYSIWYG editor to filter out XSS malicious code.
<code><?php require dirname(__FILE__).'/htmlpurifier/library/HTMLPurifier.auto.php'; $purifier = new HTMLPurifier(); echo $purifier->purify($html);</code>
I think whitelist is good, just keep the tags you want to use and filter everything else
You don’t need to filter whatever functions your rich text editor supports. Just filter other ones. When you receive a p tag, do you still have to distinguish whether it was added using your editor or manually?
Is it okay to stipulate that you need to use your own new set of grammar?
Just filter out the js script
Escaped to entity characters when entering the database
Restored when exporting.
And filter out
<script></script>
javascript:xxx;
this kind
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
