Want to 'sandbox' user form submitted HTML
I have a user form with a textarea that allows users to submit html formatted data. The html itself is limited by PHP strip_tags, but of course that does no 开发者_如何学编程completion checking etc.
My basic problem is that should a user leave a tag unclosed, such as the <a>
tag, then all the content following that, including page content that follows that is 'outside' the user content display area, could now be malformed.
Checking for proper tag completion is one solution I will look at, but ideally I'd like to firewall the user htmlified content away from the rest of the site somehow.
Use HTML Purifier. Very thorough and easy-to-use standalone plugin. It makes sure all markup is valid XHTML and also prevents XSS attacks.
I would recommend saving two copies of the user's HTML input in your database. One copy would be the raw form that they submitted which you can use for when they edit their page later, and the second would be that sanitized by HTML Purifier which you display on output. Storing the sanitized version is much faster than runing HTML Purifier on every page load.
The only way to achieve complete isolation would be to use an iframe.
The other solution would be to limit the html tags users could employ. Limiting users to paragraph and inline tags (string
, em
, a
, etc.) would ensure that you could wrap all of the content in a div tag and not have to worry about open tags.
Just use some function for completing unclosed tags. This can help you: http://concepts.waetech.com/unclosed_tags/
精彩评论