Best way to avoid javascript execution

I am using PHP and Zend Framework in my application. User can enter HTML code and admin can see this HTML code. I want to avoid XSS injection. All HTML code should render as any javascript. I tried to remove the tags script

, but it's not safe. User can add javascript to onclick

or other events.



source to share

2 answers

If you are looking for clearing user data from XSS I would look at HTML clearer

Removing just the script tags is not enough, you are missing out on any inline javascript people might add, among other things.

HTML cleaner , however, will remove everything for you. On their website:

HTML Purifier is a standard HTML filter library written in PHP. The HTML cleaner will not only remove all malicious code (better known as XSS) with a thoroughly checked, safe and permissive whitelist, it also ensures that your documents are standards compliant, which is only achievable with a full W3C.



I think it would be best to manually cover all vulnerabilities.

Start by removing script tags, then run regexes on events on

(onclick, onhover ...) and remove them. There's more disconnection ...

CodeIgniter (possibly other frameworks) has a xss_clean () function , you can look at it to see what they do,



All Articles