htmlpurifier-Rich Text editor filtering XSS

This post language environment: PHP; Development framework: TP3.2;

1, Htmlpurifier-4.6.0:https://files.cnblogs.com/files/samgo/htmlpurifier-4.6.0.zip

Unzip the downloaded package, modify the name to Htmlpurifier, and put it in the following directory:

2. Define public Function Clearxss (), Path: application/common/common/function.php (note function.php cannot be written functions.php)

/*filtering XSS functions*/functionCLEARXSS ($string){    require_once'./htmlpurifier/htmlpurifier.auto.php '; //build Configuration Object    $_clean_xss_config= Htmlpurifier_config::Createdefault (); //Here is the configuration:    $_clean_xss_config->set (' core.encoding ', ' UTF-8 '); //Set HTML tags that are allowed to be used    $_clean_xss_config->set (' HTML. Allowed ', ' div,b,strong,i,em,a[href|title],ul,ol,li,p[style],br,span[style],img[width|height|alt|src] '); //to set CSS style properties that are allowed to appear    $_clean_xss_config->set (' CSS. Allowedproperties ', ' Font,font-size,font-weight,font-style,font-family,text-decoration,padding-left,color, Background-color,text-align '); //set whether target= "_blank" is allowed on a label    $_clean_xss_config->set (' HTML. Targetblank ',TRUE); //using configuration to generate filtered objects    $_clean_xss_obj=NewHtmlpurifier ($_clean_xss_config); //Filter Strings    return $_clean_xss_obj->purify ($string);}

3, post submission, in addition to Rich text editor (such as product description) post data (such as product name, price, etc.) with the large I function TP filter, Rich text content with CLEARXSS () function filter;

Note: Rich text and non-rich text content is best filtered separately, if the unified use of CLEARXSS () filtering, non-rich text content submission can be submitted CLEARXSS () allowed to use HTML tags, affecting the page display effect.

htmlpurifier-Rich Text editor filtering XSS