I've web-project, where I allow users to use CKEditor, and thats why I need to secure me from any XSS. How do I minimise any risks of being "attacked" with XSS?
I don't know if this will be enough, I guess no:
strip_tage(Input::get('text'), '<p><a><h1><h2>');
So question is how to be XSS Clean from CKEditor on server-side and what I need to do on CKEditor side, which plugins to remove (as I removed source code plugin, maybe I also should remove styles plugin??)???
分享 Use HTML Purifier.
It was created specifically for sanitizing HTML and fixing invalid markup such as incorrectly nested tags or unescaped special characters.
It doesn't matter what plugins you remove from CKEditor, a malicious user can completely bypass CKEditor and submit any string they want.
strip_tags with $allowable_tags doesn't offer good enough protection from XSS, because scripts and styles can be embedded in tag attributes such as href, onmouseover, onerror, etc. It's also possible to reuse some of the application styles and scripts by adding id and class attributes.
分享
