Ask your WordPress questions! Pay money and get answers fast! (more info)

How to sanitize a text field which can contain HTML input? WordPress

  • SOLVED

Within my application users can modify a setting for credits which allows them to add custom html which is displayed on frontend, like

Supplier, <a href="http://www.supplier.com">http://www.supplier.com</a>

An audit now showed, that this is vulnerable to XSS attacks, by adding the following for example to the settings field:

Supplier, <a href="http://www.mapbox.com">http://www.supplier.com</a><script>alert('1');</script> or <img src="javascript:alert('1');">

Usually I use htmlspecialchars() to mitigate XSS vulnerabilities, but in this case this will not work as links would also be displayed as text instead.

I tried to sanitize the output by using a function like

function xss_sanitize($string) {
return str_replace(array("javascript","<script>","</script>"), "", $string);
}


but that didnt seem to fully protect agains XSS as <ScRiPt> for example would still be possible and strtolower($string) and strip_tags() are not an option.

Is there a PHP function for this usecase? Or could <strong>PHP filters</strong> (support for PHP 5.2 needed!) provide a solution here? <strong>Splitting the string is not an option, users should be allowed to further enter HTML tags</strong>, just no script-tags/javascript:
Thx

Answers (2)

2014-04-10

Dbranes answers:

You can check out [[LINK href="https://codex.wordpress.org/Function_Reference/wp_kses"]]wp_kses()[[/LINK]]:

<blockquote>KSES is an iterative acronym and stands for “KSES Strips Evil Scripts".</blockquote>


rmaxwell comments:

yes, that´s what I was looking for - thanks!

2014-04-10

Francisco Javier Carazo Gil answers:

Have a look to this PHP library http://htmlpurifier.org/


Francisco Javier Carazo Gil comments:

I have used it and it is really useful for your problem.

The basic one is this:

require_once '/path-to/HTMLPurifier.auto.php';

$config = HTMLPurifier_Config::createDefault();
$purifier = new HTMLPurifier($config);
$clean_html = $purifier->purify($dirty_html);


rmaxwell comments:

thanks, looks good, but main advantage would be that this bloats up my application by at least 1MB, which would be 20% for just a tiny function I need, so another approach would be appreciated...