Use the rich text filter HTMLPurifier in PHP to prevent xss cross-site attacks

CMS will integrate online editors such as FCKEditor in the background for editing content, but this is very easy for XSS cross-site attacks. let's take a look at how HTMLPurifier can prevent xss cross-site attacks. with html visualization... CMS integrates online editors, such as FCKEditor, in the background to edit the content of the article. However, this is very easy for cross-site XSS attacks. let's take a look at how HTML Purifier can prevent cross-site xss attacks.

With the popularity of html visual editor, many websites use such editors, such as FCKEditor and Baidu UEditor.

Cross-site scripting (XSS) attacks are no longer a new topic, and even many large companies are suffering from this. the simplest and most direct defense method is to disallow any html tag input, encode user input (htmlencode ).

What should I do if I want to support some formats for user input? One way is that many forums use the BB Code method and use specific tags instead of some formats, such as [B] indicating bold, and so on. However, the form of BB Code is not widely accepted. it is too expressive and not a standard format.

In order to make the user input more expressive, a large number of Html Editor controls have emerged, including FCKEditor, FreeTextBox, Rich TextBox, Cute Editor, TinyMCE, and so on. I personally prefer Cute Editor, which has powerful functions, good performance, and easy customization.

The potential danger of using these Html editor controls is that users may enter dangerous characters and inject them into the website to form XSS attacks. The simplest input is:

Script alert ('xss') script

XSS input attacks may also be HTML code segments, such:

(1). constantly refresh webpages

(2). embed links to other websites

How can PHP developers prevent XSS attacks? (Php functions to prevent xss attacks). here, it is easy to recommend the HTML Purifier tool.

HTML Purifier official website: http://htmlpurifier.org/

HTML Purifier is an HTML filter based on php 5. it supports custom filtering rules and can convert non-standard HTML into standard HTML, which is the gospel of WYSIWYG editor.

HTML Purifier: this is an HTML filter that complies with W3C standards. it can generate standard HTML code and has many custom configurations that can filter out javascript code and effectively prevent XSS!

I. Requirements for Using HTML Purifier

HTML Purifier only requires PHP 5.0.5 and later versions, and does not require support from other core components. HTML Purifier is not compatible with zend. zemo-compatibility_mode.

The following five extensions are optional and can enhance the performance of HTML Purifier (can enhance the capabilities of HTML Purifier ):

* iconv  : Converts text to and from non-UTF-8 encodings * bcmath : Used for unit conversion and imagecrash protection * tidy   : Used for pretty-printing HTML * CSSTidy : Clean CSS stylesheets using %Core.ExtractStyleBlocks * Net_IDNA2 (PEAR) : IRI support using %Core.EnableIDNA

Before use please read the HTML Purifier detailed installation instructions: http://htmlpurifier.org/live/INSTALL

II. Basic usage

By default, it uses UTF-8 encoding, and XHTML 1.0 Transitional document type.

Require_once ('htmlpurifier/library/HTMLPurifier. auto. php'); $ config = HTMLPurifier_Config: createDefault (); $ purifier = new HTMLPurifier ($ config); $ dirty_html = <
 
  
Purify ($ dirty_html); // output: Hello
 

Filtering XSS code, filtering rules: http://htmlpurifier.org/live/smoketests/xssAttacks.php

Incomplete tags are automatically filled

III. configuration

Configuration is mainly used to set rules, which is easy to use.

$config = HTMLPurifier_Config::createDefault();   // something....   $purifier = new HTMLPurifier($config);

Detailed configuration rules: http://htmlpurifier.org/live/configdoc/plain.html

Article link:

Save this article for favorites!