How to Secure Data Submitted Through CKEditor

Question

I am using CKEditor in my site to let the users post their comments. CKEditor has many buttons to compose the comment. Suppose If a User makes his comment bold and italic Such Like

This is comment

And CKEditor will ouput the following html

<i><strong>This is comment</strong></i>

Now, If I store this html in the mysql database and output on the webpage as it is, without wrapping it with htmlspecialchars(), then The Comment will be shown on the page bold and italic and this is what I want.

But on the other hand If I wrap the comment with htmlspecialchars() and displays it on the webpage it will be shown as

<i><strong>This is comment</strong></i>

But I do not want to show like this, I want the user formatting. But If I do not wrap it with htmlspecialchars(), it is risky and it can cause XSS Attack and other security risks.

How Can I Achieve both Purposes (1). Keep the User Formatting (2). Also Secure the HTML Contents

Answer 1

You need to draw up a whitelist of what elements and attributes you want to allow your users to include (eg allow <strong> but not <script>; allow <a href> but not <div onmouseover>), and then enforce it by parsing the input, removing all elements and attributes that don't fit your pattern, and serialising the results back into HTML.

This is a hard job that cannot be done with a few simple regexes or strip_tags (which is NOT an adequate solution for XSS even if it did fit your needs). You would be well advised to use an existing library to do it - HTML Purifier is one such for PHP.

Answer 2

i think you are looking for strip_tags. it will remove all the html and php tags from the string and only allow the given tags like <strong><i> etc

<?php 
$str = "<i><strong>this is a comment<strong></i><script>here is script</script>";
echo $str = strip_tags($str,"<i><strong>");
 ?>

php.net documentation for strip_tags