3

On my website, users will be able to input html tags for the content so the text can be bold, italic or links and image. I plan to use ckeditor or tinymce which are really using HTML tags (not BBC code or wiki syntax) If I allow HTML, when the text will be shown it will be interpreted and it may contain some "hack" like javascript or XSS.... How can I do to avoid this security issue ? Do I have to list the wanted html tags and to delete all unwanted tags and content ? Can I use strip tags for this ?

How is it done on stackoverflow for example ?

Do you know some plugin php/jquery plugins who can safely save and safely interpret limited html tags ?

Thanks in advance for your help

Improve this question
3
  • I think you can configure which elements are allowed in the CKEditor. -- stackoverflow.com/questions/2912805/… Commented Sep 13, 2012 at 12:46
  • The most simple fix would be to just run an str_replace('<script>', '', $str); or something like that. You would also do this for iFrames. Commented Sep 13, 2012 at 12:48
  • Take a look at the HtmlSanitizer that is part of the Microsoft Web Protection Library. Commented Sep 13, 2012 at 12:57

1 Answer 1

Reset to default
5

You need to use both a server side HTML sanitizer, and a Content Security Policy preventing in-line scripts, eval and remotely hosted scripts

Depending on what language you are using server side, use HtmlSanitiser or python Bleach.

using either client side validation or naive filtering will not protect you at all:

  1. client side validation, as suggested by @Smamatti will not help you if a user submits the form manually.
  2. naive filtering such as str_replace('<script>', '', $str); suggested by @user1477388 will not protect you when someone uploads <script src="foo"> or <<script>script>alert('foo');</script> or <body onload="alert('foo')";</body>
Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

I totally agree with Thomas. There are so many ways to encode malicious code that it practically impossible to come up with a safe method that does (black list) filteren. For instance, take a look at this XSS Cheat Sheet to get an idea of what crazy ways there are to inject scripts. It's quite scary actually. For instance, try detecting this piece of code as malicious: <IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58; &#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>, or this one: <XSS STYLE="behavior: url(xss.htc);">.
Thanks to everybody for your answer. In fact, ckeditor is escaping the html tags or special characters which are not allowed So when you select a tag for example <strong> it is send as is to your form But if you type a < or <strong> the "<" are escaped. It seems that those guys thinked about this security issue Now my problem, is that to show the text in a correct form, I need to do a htmlspecialchars_decode... So if somebody just sends to my php treatment page some bad code, I need to also manage it at this point security problems are really a pain....
@user: As Thomas said in (1), CKeditor is a client-side tool. You can't trust any validation measure that happens on the client side. An attacker could alter or bypass CKeditor and submit dangerous HTML. You must clean HTML at the server-side. If you are using PHP the usual tool is HTML Purifier. FWIW personally for just bold/italic/image/links I'd use a smaller, friendlier, less complex language than HTML.
@bobince Thanks for HTML purifier. What will you use for only those tags. BBCode ? If you know a good and easy to use tool it will be nice
@user1496486 stick with HTML if you're using CKEditor, just make sure you have parity with your client side and server side validation.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.