Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
A
A
Alexey Lebedev2014-06-18 16:04:27
JavaScript
Alexey Lebedev, 2014-06-18 16:04:27

How to filter HTML from XSS and stuff?

I have a wiziwig editor that generates HTML code, example:

<p class="line" id="line-1"><span style="color: rgb(230, 0, 0);"><span style="background-color: rgb(255, 153, 0);">affasf</span></span><span style="background-color: rgb(255, 255, 255);"><span style="color: rgb(230, 0, 0);"><span style="background-color: rgb(255, 153, 0);">dadssadasda</span></span></span></p><p class="line" id="line-35">эллэл</p><p class="line" id="line-43">шхохохх</p><p class="line" id="line-56"><span style="color: rgb(230, 0, 0);"><span style="background-color: rgb(255, 153, 0);"><b>dddddad</b></span></span></p>


It is sent via Ajax and returned via Ajax on output.

What I'm going to do:
1) replace < and > with [ and ] 2) remove
quotes from tags 3 ) replace &
,",' with their html representation
. other But there was this problem: What if someone doesn't close the tag, let's say [b], then the whole bottom will be bold. Is there any way to solve the problem without counting open and closed tags? Maybe it's better to stick everything in an Iframe? Are there other options for working with HTML text?
[b] -> <b>

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

2 answer(s)
Report
A
Andrey Pavlenko, 2014-06-18
@swanrnd

First, there is a solution like HTMLPurifier which removes all unresolved tags.
Secondly, simple autocorrect will not help, it is desirable to use regular expressions, in which if the tag is unpaired, it will not be parsed.
Thirdly, there are editors that generate BB markup. I really like WysiBB due to its light weight, great expandability and minimalist design.
If you are interested in this editor - I can throw off a set of rules for autocorrect.

Report
M
Mikhail Osher, 2014-06-18
@miraage

Remember once and for all - HTML is filtered once, before being output to the browser.
If you are using PHP, there is a wonderful htmlspecialchars function. There are similar solutions for other languages.

Similar questions
S
Sergey A2020-02-27 13:56:22
Bitrix, problem with socket initialization? 2Reply
M
myskypesla2017-10-12 21:35:43
How to write a vanilla js script to scroll to blocks? 3Reply
V
Vladimir Mukovoz2017-10-19 15:42:32
How to make video in wordpress post preview? 3Reply
S
s_katala2017-10-20 01:47:24
How to fix Notice: Undefined variable? 2Reply
E
Eugene2017-10-20 16:04:28
How to set up a gateway on SUSE in a VMWARE virtual machine? 2Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question