开发者

Best Settings for Html purify

问答 作者:

I would like to use PHP-based tool HTML Purifier on a textbox to prevent xss but I would like to allow the following:

  1. basic tags like <b>,<i>,<u>
  2. links
  3. images

I would like to block all CSS and开发者_如何学JAVA JavaScript. I just tried HTML Purifier and it failed on this case. Just see this example. How can I take care of this?

Also I would want all words of the form #abcd and @abcd to be replaced with custom html (as you would have guessed it a link). Is it possible with this or do I have to do my own replace?

Set HTML.Allowed to something like b,i,u,a[href],img[src|alt]

See here.

Regular expressions and e modifier


function checkTag( $tag ) {
  $tag = removeslashes( $tag );

  ...

  return $secureTag;
}

$html = preg_replace( "/<[^>]+>/e", " checkTag( '\$0' )", $input );

PHP has a built-in function that seems to do exactly what you want.

http://php.net/manual/en/function.strip-tags.php

It even has a whitelist feature so it can allow some tags.

For the #abcd and the @abcd part I think you will have to use a preg_replace() for that. I have used a similar function and it does the @abcd part very well :).

$sClickText = preg_replace("/\@([a-zA-Z0-9_])+/",' <a href="#reply" onClick="reply(\'' . "$0" . '\')">' . "$0" . '</a>',$sInputText);

继续阅读:htmlpurifierphp

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9