PHP Use Rich Text filter HTML purifier to prevent XSS cross-stop attacks

As the HTML can get the editor popular, many websites use such editor, such as FCKeditor, Baidu Ueditor editor and so on.

Cross-site scripting attacks (XSS) are no longer a new topic, and even many big companies have suffered. The simplest and most straightforward way to prevent it is to not allow any HTML tag input to encode user input (HTMLEncode).

But what if you want the user input to support some format? One way is to use the BB code method in many forums. Use a specific label instead of some formatting. For example: [B] represents bold, and so on. However, BB code this form is not widely accepted, its performance is very poor, and is not a standard format.

To make the user's input more expressive, a large number of HTML editor controls have emerged, notably the Fckeditor,freetextbox,rich Textbox,cute editor,tinymce and so on. I personally prefer cute Editor, powerful, good performance, and easy customization.

The potential danger of using these HTML editor controls is that users may enter some dangerous characters and inject them into the Web site to form an XSS attack. One of the simplest inputs is:

<script>alert (' XSS ') </script>

XSS input attacks can also be HTML code snippets, such as:

(1). Web page constantly refresh <meta http-equiv= "Refresh" content= "0;" >
(2). Embed links to other web sites <iframe src=http://xxxx width=250 height=250></iframe>

For PHP developers, how do you protect against XSS attacks? (PHP's function to prevent XSS attacks), the HTML Purifier tool is easily recommended here.

HTML Purifier Official website: http://htmlpurifier.org/

HTML purifier is the gospel of the WYSIWYG editor, which is based on HTML filters written in PHP 5, supports custom filtering rules, and translates non-standard HTML into standard HTML.
HTML purifier, a standard HTML filter that generates standard HTML code, and has a number of custom configurations that can filter out JavaScript code to effectively prevent xss!

First, the use of HTML purifier requirements

HTML purifier only requires PHP 5.0.5 and above, and does not require support from other core components. HTML Purifier is not compatible with Zend.ze1_compatibility_mode.

The following 5 are optional extensions that can enhance the performance of HTML purifier (can enhance the capabilities of HTML purifier):

* Iconv:converts text to and from Non-utf-8 encodings
* Bcmath:used for unit conversion and Imagecrash protection
* Tidy:used for Pretty-printing HTML
* Csstidy:clean CSS stylesheets using%core.extractstyleblocks
* NET_IDNA2 (PEAR): IRI support using%core.enableidna

Please read the HTML purifier detailed installation instructions before using: Http://htmlpurifier.org/live/INSTALL

Ii. Basic Usage

By default, UTF-8 encoding is used, and XHTML 1.0 Transitional document types.
Require_once (' htmlpurifier/library/htmlpurifier.auto.php ');
$config = Htmlpurifier_config::createdefault ();
$purifier = new Htmlpurifier ($config);

$dirty _html = <<<eof
<script>alert ("World");</script>
EOF;

$cleanHtml = $purifier->purify ($dirty _html);

Output:


Filtering XSS code, filtering rules: http://htmlpurifier.org/live/smoketests/xssAttacks.php

Automatically populated with mutilated labels

Third, the use of configuration

Configuration is primarily used to set rules and is simpler to use

$config = Htmlpurifier_config::createdefault ();
Something .....
$purifier = new Htmlpurifier ($config);

Detailed Configuration rules: http://htmlpurifier.org/live/configdoc/plain.html