Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
A
A
Alexey Lebedev2014-06-18 16:04:27
JavaScript
Alexey Lebedev, 2014-06-18 16:04:27

How to filter HTML from XSS and stuff?

I have a wiziwig editor that generates HTML code, example:

<p class="line" id="line-1"><span style="color: rgb(230, 0, 0);"><span style="background-color: rgb(255, 153, 0);">affasf</span></span><span style="background-color: rgb(255, 255, 255);"><span style="color: rgb(230, 0, 0);"><span style="background-color: rgb(255, 153, 0);">dadssadasda</span></span></span></p><p class="line" id="line-35">эллэл</p><p class="line" id="line-43">шхохохх</p><p class="line" id="line-56"><span style="color: rgb(230, 0, 0);"><span style="background-color: rgb(255, 153, 0);"><b>dddddad</b></span></span></p>


It is sent via Ajax and returned via Ajax on output.

What I'm going to do:
1) replace < and > with [ and ] 2) remove
quotes from tags 3 ) replace &
,",' with their html representation
. other But there was this problem: What if someone doesn't close the tag, let's say [b], then the whole bottom will be bold. Is there any way to solve the problem without counting open and closed tags? Maybe it's better to stick everything in an Iframe? Are there other options for working with HTML text?
[b] -> <b>

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

2 answer(s)
Report
A
Andrey Pavlenko, 2014-06-18
@swanrnd

First, there is a solution like HTMLPurifier which removes all unresolved tags.
Secondly, simple autocorrect will not help, it is desirable to use regular expressions, in which if the tag is unpaired, it will not be parsed.
Thirdly, there are editors that generate BB markup. I really like WysiBB due to its light weight, great expandability and minimalist design.
If you are interested in this editor - I can throw off a set of rules for autocorrect.

Report
M
Mikhail Osher, 2014-06-18
@miraage

Remember once and for all - HTML is filtered once, before being output to the browser.
If you are using PHP, there is a wonderful htmlspecialchars function. There are similar solutions for other languages.

Similar questions
S
Sergey2015-03-27 10:22:55
Cookie counter junk in Chrome, how to cure? 2Reply
A
alexdora2016-06-13 05:22:31
What type of table should I choose for 200-400 concurrent connections? 2Reply
S
Sergey Bocharov2016-06-15 00:50:08
What report builder for a web project on postgresql + python would you recommend? 2Reply
S
Sergey Burduzha2021-03-25 12:00:33
Why is a fetch request not working? 3Reply
F
Fyodor Buzinov2015-04-14 12:52:57
Nginx: redirect from https to http? 5Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question