I'm working on a project where the public (so everyone) is allowed to insert HTML through TinyMCE for their own project page. Since everyone is allowed to use this feature, I need a 100% safe way of inserting the TinyMCE output into my database, and showing it on another page just as it was inserted by the user.
XSS, SQL injection and all that other crap is not what I want on my new website! I could do htmlentities -> htmlspecialchars and later on use htmlentities_decode, but is this 100% safe, and it is the best way of doing it?
SQL injection is in most cases easily avoided with the use of prepared statements.
XSS is more difficult if you're planning to allow users to post HTML markup. You need to remove all <script>
tags, all on*
attributes from tags, all javascript:
urls, and even then that's probably not fully guaranteed to make the input HTML safe. There are libraries such as HTMLPurifier that can help, but so long as you allow HTML, you're at risk of letting something malicious through.
You could use a library that implements something such as markdown or wikitext instead. This severely limits what users can enter, whilst still letting them mark the content up to an extent. It's not fullproof (people can still just post links to malicious sites and hope users click through to them,which some will be naive enough to actually do), and you'll not be able to use a rich editor such as TinyMCE without some sort of plugin, but it's a much simpler job to sanitize markdown than it is to sanitize HTML.
It is not doable. You think to filter so that's a good point but in the end it won't be possible to lock it down totally if you accept html. Take a look at things like bbcode, markdown etc. to see some alternatives.
If you decide to accept HTML code it's not just filtering what needs to be done, even encodings can generate serious security issues. Search for UTF-7 for example to see what kind of issues. See some examples here: http://www.webappsec.org/projects/articles/091007.txt
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With