Allow HTML
Moderator: General Moderators
Allow HTML
Are there any security downsides to allowing users to input HTML to the database, to be displayed on a 'profile' sort of page?
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
Layout breaking... is their own fault
If they want their page to look stupid.
What kind of scripts are you talking about...? And what's an XSS attack?
What kind of scripts are you talking about...? And what's an XSS attack?
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
You can read chapter 2.3 and 2.4 at http://phpsec.org/projects/guide/..
So ermm, how could I go about allowing HTML in a safe way?
filtering for <script> and </script> ?
filtering for <script> and </script> ?
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
That seems like it would be a pretty extensive task. Noone could possibly know all tags 
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
- feyd
- Neighborhood Spidermoddy
- Posts: 31559
- Joined: Mon Mar 29, 2004 3:24 pm
- Location: Bothell, Washington, USA
you only need to know which tags you want to allow, all others are removed. For each tag, you have a set list of legal (a la W3C) attributes, you should choose a subset of these for each tag that you want to allow. All other attributes are removed. The remaining attributes must be filtered for malicious content.
http://www.php.net/strip_tags and http://www.php.net/htmlentities may come in handy...
Okay, so to get this straight:
List of allowed tags,
Subset of allowed attributes for each allowed tag,
Remove all nonallowed tags, and nonallowed attributes
This would require a few pretty good regexs right?
List of allowed tags,
Subset of allowed attributes for each allowed tag,
Remove all nonallowed tags, and nonallowed attributes
This would require a few pretty good regexs right?
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
Also make sure you remember which of the tags were openend and close them if they are not closed.
You stated above that only them would get a corrupt page but this might not be true to signitures etc.
and of course limit the width and height attribute attribute to match your design. Pictures need to be checked for size and not displayed if they are to big or in the wrong size.
You stated above that only them would get a corrupt page but this might not be true to signitures etc.
and of course limit the width and height attribute attribute to match your design. Pictures need to be checked for size and not displayed if they are to big or in the wrong size.