Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
I
I
IvanIF2020-10-01 20:51:49
Information Security
IvanIF, 2020-10-01 20:51:49

How to protect an input field that may contain html tags from XSS attacks?

I have a thematic portal where users can publish their material.
This material may contain HTML tags, so it cannot be output via the htmlspecialchars() function.
It would be possible to filter tags with strip_tags(), but that doesn't solve the problem.
How to filter the received data and remove attacks like this:

<body onload=alert('xss')>
<img src=javascript:alert('xss')>
<body background="javascript:alert('xss')" >
<meta http-equiv="refresh" content="0;url=javascript:alert('xss');">
<style type="text/javascript">alert('xss');</style>

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

2 answer(s)
Report
V
Vladimir Dubrovin, 2020-10-02
@IvanIF

Use DOMPurify

Report
D
Dimonchik, 2020-10-01
@dimonchik2013

well, at least he specified the functions of pehape, since you forgot for the tag, you
leave only allowed tags and check by parsing xml for the contents
of such tags, you will have exactly one - img

Similar questions
M
Maksim2019-02-27 15:39:15
Phishing protection in an e-mail client? 1Reply
S
Sergey Petrov2016-09-29 11:20:18
How to organize anti-virus protection in an organization? 2Reply
I
Igor2020-11-25 06:43:45
Password-protected archive against VeraCrypt? 4Reply
A
Alistair O2016-10-04 12:55:52
How to systematize knowledge in the field of information security? 2Reply
N
Nikolas122019-03-05 12:34:47
How to be safe from stealing an idea for a mobile application? 8Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question