Remove XSS attacks while still allowing html?

4
votes

Ok, now I have a dilemma, I need to allow users to insert raw HTML but also block out all JS - not just script tags but from the href etc. at the moment, all I know of is

htmlspecialchars($string, ENT_QUOTES, 'UTF-8');

But this also converts valid tags into encoded characters. If I use striptags, it also doesn't work as it removes tags! (I know that you can allow tags but the thing is if I allow any tags such as <a></a> people can add malicious JS to it.

Is there anything I can do to allow html tags but without the XSS injection? I have planned a function: xss() and have setup my site's template with that. It returns the escaped string. (I just need help with escaping :))

Thanks!

1
phpxss
This may be useful. shiflett.org/blog/2007/mar/allowing-html-and-preventing-xsstwodayslate
What does your application really do? Normally, the people use BBCode for text formatting, exactly because of this issue!Sebastian Breit
Related: stackoverflow.com/questions/3847631/…twodayslate
@Perroloco well I am making a CMS but the problem is that when someone inserts SOURCE which happens sometimes - they can be doing so genuinely or because they want to hack the site. BBCode is not an option as I've already started the site and people have already posted things so changing between HTML and BBCode is not acceptable. Good suggestion though!user115422
@twodayslate umm... i guess that could help but I am pretty new with plugins, can you show me a sample of how I would use htmlpurifier? I like the idea but I need it to work on the xss() function, I have written too much code to be able to do anything but edit what xss() does - its stored in a settings file.user115422

1 Answers

3
votes

Related: Preventing XSS but still allowing some HTML in PHP

Example code from HTMLPurifier Docs:

require_once '/path/to/HTMLPurifier.auto.php';

$config = HTMLPurifier_Config::createDefault();
$purifier = new HTMLPurifier($config);
$clean_html = $purifier->purify($dirty_html);

You can use that code as a reference in your xss(...) method.