I want to use fckeditor in an app where I normally htmlspecialchars() almost all content to the browser. However, clearly I can't do that now so I am wondering what filters people use to prevent XSS attacks, tables that don't close etc from being input by users?
Thanks for any suggestions. Looking for a PHP solution if possible.
Thanks for any suggestions. Looking for a PHP solution if possible.
RE: Prevent XSS attacks and other HTML
you may use the strip_tags function in PHP to strip HTML selectively. ( http://www.php.net/manual/en/function.strip-tags.php ) , you may set an list of allowable tags like this : strip_tags($Return_data_from_fckeditor,'<p><b><br>'); will remove all tags but not the <p> <b> and <br> .
You may also "validate" your html by parsing all your return data , and counting occurences of <table , <tr and <td , then making sure that there is a equal amount of </table , </tr and </td ..
Simple example :
$sString = "<table><tr><td></td></table>";
$aStartTags = explode(",","<td,<tr,<table");
$aEndTags = explode(",","</td,</tr,</table");
$num_starttags = count($aStartTags);
$num_endtags = count($aEndTags);
if($num_endtags != $num_starttags) die('Number of starttags and endtags NOT equal');
for($i=0;$i<$num_endtags;$i++) {
$num_occurences_starttags = substr_count($sString,$aStartTags[$i]);
$num_occurences_endtags = substr_count($sString,$aEndTags[$i]);
if($num_occurences_endtags != $num_occurences_starttags) @$sOut .= '<br />Number of ' . $aStartTags[$i] . ' if not equal to ' . $aEndTags[$i];
}
if(!isset($sOut)) $sOut = '<br />HTML is ok';
echo $sOut;
The example will fail and say that there is something wrong with <tr tag ..
BR Martin Kronstad
RE: Prevent XSS attacks and other HTML
Thank you, that is an excellent start
My next step is to try and control attributes (e.g. js) I am reading the strip_tags comments, but if anyone has other suggestions that would be great.
RE: Prevent XSS attacks and other HTML