Show Html User Input, Security Issue

December 24, 2023 Post a Comment

On my website, users will be able to input html tags for the content so the text can be bold, italic or links and image. I plan to use ckeditor or tinymce which are really using HT

Solution 1:

You need to use both a server side HTML sanitizer, and a Content Security Policy preventing in-line scripts, eval and remotely hosted scripts

Depending on what language you are using server side, use HtmlSanitiser or python Bleach.

using either client side validation or naive filtering will not protect you at all:

Baca Juga

Php "session_regenerate_id" And Authentication Of Users
Why Is It Dangerous To Render User-generated Html Or Javascript?
Mouse Cursor Doesn't Match With Canvas

client side validation, as suggested by @Smamatti will not help you if a user submits the form manually.
naive filtering such as str_replace('<script>', '', $str); suggested by @user1477388 will not protect you when someone uploads <script src="foo"> or <<script>script>alert('foo');</script> or <body onload="alert('foo')";</body>

Html5 Coding

Show Html User Input, Security Issue

Solution 1:

Post a Comment for "Show Html User Input, Security Issue"