Is the train of thought correct?

L

littleguga2015-03-12 20:29:00

PHP

littleguga, 2015-03-12 20:29:00

There is a field (let's say a comment on the site), it can contain html code and should be displayed as html code. Is it enough to wrap the output of this field in tags <code></code>or not, to protect against XSS?
Thanks in advance for your reply!

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

D

Dmitry Bay, 2015-03-12
@littleguga

Not enough. Check it out for yourself by entering the following code on your website:
use this library - htmlpurifier.org , it's quite simple.

A

alektive, 2015-03-12
@alektive

Any normal CMS validates inputs, especially user comments. There are standard functions in PHP that allow you to convert the characters "/<:;{ etc. to unicode.
PS As my teacher said - "Write a program so that a fool does not accidentally break it."

F

FanatPHP, 2015-03-13
@FanatPHP

If you do not use user input, then you do not need to protect yourself from anything.
If used and HTML is not allowed then htmlspecialchars()
If used but HTML is allowed then htmlpurifier.org