Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
M
M
My Way2018-09-10 19:37:07
Laravel
My Way, 2018-09-10 19:37:07

How to properly escape HTML?

Question: I want to convert them from ordinary emoticons to apple emoji. I did it, but here is a question about security. I use laravel and output {{ toEmoji($text) }} in html, the text with "img" tags is returned, and emoticons are of course not displayed. If I output {!! toEmoji($text)!!}, then everything is ok, but you can send js code this way, and it will work.
How to properly screen? Or do you need to somehow save the code in the database at the stage of receiving the text, if so, how is this done? VK has emoticons and everything works well there, any JS does not skip, but displays emoticons.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

4 answer(s)
Report
T
Tesla, 2018-09-11
@heyMyWay

{{ toEmoji($text) }} is the same {!! toEmoji($text)!!} with only escaping. What prevents you from starting screening manually?
{!! toEmoji(e($text))!!}

Report
D
dollar, 2018-09-10
@dollar

You can, of course, clean the code from certain tags and attributes. But this is not a very good way. Today there is an onclick attribute that you successfully cut, and tomorrow they will invent a new doubleclick attribute, and through the code - tripleclick. And each time you will need to finish your parser.
It is better to approach the issue radically - to make a white list of tags and their attributes. And cut everything else without pity. True, for this you have to parse the code completely, and then parse it back (skipping only what is allowed). Writing such a parser is a little more difficult, but worth it.

Report
T
Timofey, 2015-03-18
@mr_T

Angular does not have a conditional attribute setting construct like ng-class, so either write something like attr="{{condition ? trueValue : falseValue}}", or, if it is the presence/absence of the attribute that is required, use ng-switch/ ng-if. Binding to the class of tr will also not work directly, in this case, you need to write the construction ng-class="{ 'some-class': condition }" to tr, and check for this condition in td.

Report
T
Timofey, 2015-03-18
@mr_T

Angular does not have a conditional attribute setting construct like ng-class, so either write something like attr="{{condition ? trueValue : falseValue}}", or, if it is the presence/absence of the attribute that is required, use ng-switch/ ng-if. Binding to the class of tr will also not work directly, in this case, you need to write the construction ng-class="{ 'some-class': condition }" to tr, and check for this condition in td.

Similar questions
V
vladimirr892018-03-22 22:16:22
Why search through algolia does not work in laravel? 0Reply
6
64bitweb2018-03-23 11:44:00
How to connect an operator when communicating with a Telegram bot? 1Reply
D
dk-web2015-11-15 21:31:04
How to correctly form slug in laravel 5.1? 2Reply
N
Nubbin2018-03-24 12:46:16
Average time on site? 2Reply
F
Fet2015-11-16 17:41:24
Why are photos from the iPad camera not being added to upload to the site? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question