Javascript-filter the results submitted by the Rich Text Editor

Generally, Rich Text editors such as Baidu's ueditor directly return a piece of html code after editing. In order to prevent xss attacks, I would like to ask you how to filter and import data to the database. This is a good solution? (Html is directly displayed after the front-end reading. For example, this issue is submitted in the Rich Text Editor... generally, Rich Text editors such as Baidu's ueditor directly return a piece of html code after editing. In order to prevent xss attacks, I would like to ask you how to filter and import data to the database. This is a good solution? (Html is directly displayed after reading on the front end. For example, this issue is submitted in a rich text editor)

Currently, you can use:

• Rich Text Editor sets plain text paste (this may cause inconvenience to users, but the sf editor seems to do this, but the hyperlink is retained)
• Some class libraries such as Kses php html filter class are used to set the tags and tag attributes to be retained.

Do you have any good and efficient practices?

Reply content:

Generally, Rich Text editors such as Baidu's ueditor directly return a piece of html code after editing. In order to prevent xss attacks, I would like to ask you how to filter and import data to the database. This is a good solution? (Html is directly displayed after reading on the front end. For example, this issue is submitted in a rich text editor)

Currently, you can use:

• Rich Text Editor sets plain text paste (this may cause inconvenience to users, but the sf editor seems to do this, but the hyperlink is retained)
• Some class libraries such as Kses php html filter class are used to set the tags and tag attributes to be retained.

Do you have any good and efficient practices?

The plain text display is used to reduce the number of invalid html code and prevent XSS attacks.No effect. Any JS Code on the client is bare in front of attackers.

If you only need to edit the common rich text without directly modifying the html code, you can consider UBB code
If you must directly support html, you can find xss filters for open-source projects such as wordpress/drupal.

I am not sure that I agree with the @ paqi "pick up and use" solution.
If you want to prevent XSS attacks, you must filter them on the server.
For example, tinymce is used in the log editing box of Renren. The front-end adopts the filter function (escape method), so they are not filtered on the server! As long as the front-end disables JS, tinymce fails to load and exposes the bare textarea, JavaScript code can be injected at will.

Therefore, no matter how strict the front-end defense is, the server must do it again.

If you are a bit harsh, escape "<" and ">.
If it is a little loose, the labels such as script and iframe will be removed.

The solution to this problem is simple.
One of the multiple methods is base64 encoding and decoding.

Basically, it is an escape, and the output is unchanged,
This operation is required to filter this part. If you add a method preg_match url, replace all the items that are not on this site.

Looking at Baidu's ueditor, I can only say that many things are not freely and elastically designed. The keyword [filter rule] cannot be found, so we recommend that you do not use ueditor because it is not mature enough!

We recommend that you:

• KindEditor is used to pick it up
• Wysihtml5 custom style, because this is a kernel

Rich Text Editor Based on wysihtml5 can refer to here bootstrap-wysihtml5.

The above two rich text editors both have a filtering mechanism. You can read this document to learn more.