2

Before I start I'd like to say I have read similar questions here but I don't think it really answers the question: Show HTML user input, security issue and Security risks from user-submitted HTML

I think these highlight the problems quite well but I am essentially asking advice for best practice in these circumstances.

I have been programming for a while and have just now come to the point where I want website administrators to submit HTML markup to display the content they want in their own sites.

Securing this content in the database is fine but now I want to display it on the site securely.

Even though, this feature is only available to the site admins I still want to secure against malicious script injections and try to prevent them breaking the page by using poor HTML.

Is the reality that I cannot safely guard against script injections as the threads above seemed to point out?

Do I use the mentality that if they break the site, it's down to them, or can I use some sort of markup validator when they update the content?

Improve this question
2
  • what language are you coding? what possible script injections are you talking about? do you want to allow html but forbid javascript? can you give examples? Commented Jun 7, 2013 at 22:06
  • You could just whitelist certain html tags, depending on what content theyre uploading. Like for instance just allow <p><h1><h2><h3><br><img><div> I believe TinyMCE has this built in...but thats only client side....you should still check and sanitize server side Commented Jun 7, 2013 at 22:07

3 Answers 3

Reset to default
1

What do you think about markdown?

It's a safe way to submit html, and have libraries to most popular languages.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

You're correct, if you allow to submit pure HTML - there's no way to prevent all possible injections. Even if you disable <script> tag in all it's possible combinations (and there're many) there're other ways like onfocus onmouseover events that can be used to run malicious code.

Improve this answer

Comments

0

I would advice HTMLPurifier, it's the best solution out there for sure. Google it!

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.