PHP XSS Prevention WhiteListing

views:

172

answers:

+2 Q:

PHP XSS Prevention WhiteListing

My site utilizes a WYSIWYG editor for users to update their accounts,enter comments, and send private messages.

The editor (CKEditor) is great for only allowing users to enter valid input, but I worry about injection through TamperData or other means.

How can I control this on the server side?

I need to whitelist specific tags: <b><ul><ol><a><img><br>, will this be a SAFE approach to preventing XSS?

+1 A:

strip_tags is going to be your friend. The second parameter lets you pass in an array of allowed tags strip_tags

MANCHUCK 2010-06-07 20:03:05

+4 A:

Use HTML Purifier:

HTML Purifier is a standards-compliant HTML filter library written in PHP. HTML Purifier will not only remove all malicious code (better known as XSS) with a thoroughly audited, secure yet permissive whitelist.

Sarfraz 2010-06-07 20:06:07

Is there an advantage of doing this over strip_tags with my own white-list?

pws5068 2010-06-07 20:15:02

Actually, I found my answer here: http://htmlpurifier.org/comparisonThank you for your help.

pws5068 2010-06-07 20:18:05

@pws5068: You are welcome :)

Sarfraz 2010-06-07 20:19:37

+1 for nice lib

MANCHUCK 2010-06-07 20:27:48

ansaurus

tags:

views:

answers:

PHP XSS Prevention WhiteListing

related questions