问题描述:

I want to create a system that allows users to write articles. Each section of the article would be stored in a database. My concern is XSS and SQL injection, but mostly XSS.

This won't be a public thing, it'd just be for people who I trust to create content. However, I'd rather not leave a gaping hole in my security just because I trust people.

Now, I'd like to allow my users to use HTML in their articles, so I can't just remove every tag. It'd be nice to let them use JavaScript, but I'm willing to remove tags if I have to. If I do that, I'd also have to remove stuff like onclick="do something malicious".

I'm using parameterized queries, so I don't think I have to worry about SQL injection that much, but I'm not sure.

I guess my question is, how far should I go with sanitizing my input and how should I do it?

Edit: I think I'd be fine with just removing JavaScript. Any special effects that users need can be handled with built-in JavaScript. It looks like I can use HTML Purifier to strip JavaScript, but it's a pretty big library and I think I might be able to write a smaller, more specific solution. I'd just go through each attribute and check it against a white list. Would that work to prevent XSS?

网友答案:

I came across a very nice article on XSS few months back. Go with the article and you would get an idea how to prevent XSS. http://www.sitepoint.com/php-security-cross-site-scripting-attacks-xss/

In your case where you want html as an input from the end user, use plugins that will filter the html inputs and then store it in the database. Here is a link how you can do it. http://htmlpurifier.org/

About SQL Injection, if you are using parameterized query then it will take care of it.

网友答案:

If you're using an WYSIWYG HTML editor such as TinyMCE, there are built in functions to strip potentially malicious code, such as <script> tags and so on, you can check the function that instantiates the editor for detail of banned tags, functions and so on.

Note: TinyMCE should not be used for sanitizing as it is a client-side editor, and sanitizing should only be done server-side.

相关阅读:
Top