dongyuanguang3893 2010-06-03 18:28
浏览 55
已采纳

想要'沙盒'用户表单提交HTML

I have a user form with a textarea that allows users to submit html formatted data. The html itself is limited by PHP strip_tags, but of course that does no completion checking etc.

My basic problem is that should a user leave a tag unclosed, such as the <a> tag, then all the content following that, including page content that follows that is 'outside' the user content display area, could now be malformed.

Checking for proper tag completion is one solution I will look at, but ideally I'd like to firewall the user htmlified content away from the rest of the site somehow.

  • 写回答

3条回答 默认 最新

  • donglaoe2979 2010-06-03 18:45
    关注

    Use HTML Purifier. Very thorough and easy-to-use standalone plugin. It makes sure all markup is valid XHTML and also prevents XSS attacks.

    I would recommend saving two copies of the user's HTML input in your database. One copy would be the raw form that they submitted which you can use for when they edit their page later, and the second would be that sanitized by HTML Purifier which you display on output. Storing the sanitized version is much faster than runing HTML Purifier on every page load.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(2条)

报告相同问题?

悬赏问题

  • ¥15 unity第一人称射击小游戏,有demo,在原脚本的基础上进行修改以达到要求
  • ¥15 买了个传感器,根据商家发的代码和步骤使用但是代码报错了不会改,有没有人可以看看
  • ¥15 关于#Java#的问题,如何解决?
  • ¥15 加热介质是液体,换热器壳侧导热系数和总的导热系数怎么算
  • ¥100 嵌入式系统基于PIC16F882和热敏电阻的数字温度计
  • ¥15 cmd cl 0x000007b
  • ¥20 BAPI_PR_CHANGE how to add account assignment information for service line
  • ¥500 火焰左右视图、视差(基于双目相机)
  • ¥100 set_link_state
  • ¥15 虚幻5 UE美术毛发渲染