WYSIWIG Textbox editors and Cross Site scripting attacks

Question

riddleyw 0 Newbie Poster

14 Years Ago

I've been looking at incorporating a wysiwig editor in my PHP pages like tinyedit or iRite. Something very much like the box I'm entering this message in, it would have the ability to let the user add links, underlines, bold, etc into blog posts and comments.

However, does this necessarily open my users up to cross site scripting? I know just enough about cross site scripting to know that you're supposed to filter out the bad stuff with htmlentities, but if I do that on a message with formatting and links, won't I be killing those links and formatting as well?

What is the best practice?

Thanks in advance

php

4 Contributors
4 Replies
76 Views
19 Hours Discussion Span
Latest Post 14 Years Ago Latest Post by diafol

samarudge 16 Posting Whiz

14 Years Ago

If you look up strip_tags on the PHP website you can define a list of the allowable tags. For example the quick reply editor on Daniweb has bold (, ) italic () underline () paragraphs () spans (<span) and links (<a>) so you would set a function like

$Input = strip_tags($_POST['user_input'], '<b><strong><i><u><p><span><a>');

Edited 14 Years Ago by samarudge because: n/a

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

riddleyw 0 Newbie Poster · Answer 1 · 2010-03-24T17:56:12+00:00

Thanks!
How do they handle code snippets, then? How are they kept in the message but kept from becoming live and danggerous

liamfriel 4 Junior Poster · Answer 2 · 2010-03-24T18:03:50+00:00

strip_tags removes php tags also: for javascript etc i use this function:

#this will strip javascript/html then prepare the script for inserting into database
function make_safe($string) {
    $string = preg_replace('#<!\[CDATA\[.*?\]\]>#s', '', $string);
    $string = strip_tags($string);
    $string = htmlentities($string, ENT_NOQUOTES, 'UTF-8', false);
    $string = stripslashes($string);
    $string = mysql_real_escape_string($string);
    return $string;
}

any additions would be welcome.

diafol · Answer 3 · 2010-03-24T21:13:26+00:00

Just one point - if tags aren't closed properly by the WW editor - there goes the rest of your page! Ensure that your editor / own code checks for closed tags and quotes.