J
J
jazzman72020-10-07 01:55:39
PHP
jazzman7, 2020-10-07 01:55:39

Dump safely html from database?

Hello, I installed the WYSIWYG editor CKEditor, chose between markdown and html, chose html and apparently in vain.

My text fields are filtered by everything on the input, I think everything is fine with me, there are no holes, but the markup of the post was not displayed in any way, something went wrong, I put htmlspecialchars_decode() on the output and lo and behold, XSS appeared. After thinking for 5 minutes, I came to the conclusion that everything will be fixed - strip_tags, but it wasn’t there, xss and img can be inserted, again not an option. Now I’m thinking of either translating CKEditor to markdown, but the markdown to html converter doesn’t want to write something, or come up with something with html output, which seems easier to me. I tried some jevix library, alas, it doesn’t work, I also found htmlpurifier, but it’s not clear how to use it. Who thinks what? Which one is better to leave the markdown or html editor if html, then the first question of the topic is relevant, if the second, then how to quickly convert markdown to html? As I understand it, you can also use js libraries,

Answer the question

In order to leave comments, you need to log in

2 answer(s)
P
profesor08, 2020-10-07
@profesor08

Use any editor you like. Absolutely anyone. Let him do whatever he needs, and as he needs. It does not matter. As a result, you should get ready-made HTML code on your server. It doesn't matter how you get it, even if it comes to you from the front, even if you generate it from markdown, which arrives from the front, even if you read it from a file, you will have to work with this HTML code. You will need to secure it, and there are ready-made tools for this.
Here for your reference:
php - https://packagist.org/packages/tgalopin/html-sanitizer
javascript - https://github.com/cure53/DOMPurify
You can find a ton of analogues for keywords.

E
entermix, 2020-10-07
@entermix

Text fields I filter everything on input

This is the problem, you need to filter the output, not the input.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question