How to sanitize a text field which can contain HTML input? WordPress
- SOLVED
Within my application users can modify a setting for credits which allows them to add custom html which is displayed on frontend, like
Supplier, <a href="http://www.supplier.com">http://www.supplier.com</a>
An audit now showed, that this is vulnerable to XSS attacks, by adding the following for example to the settings field:
Supplier, <a href="http://www.mapbox.com">http://www.supplier.com</a><script>alert('1');</script> or <img src="javascript:alert('1');">
Usually I use htmlspecialchars() to mitigate XSS vulnerabilities, but in this case this will not work as links would also be displayed as text instead.
I tried to sanitize the output by using a function like
function xss_sanitize($string) {
return str_replace(array("javascript","<script>","</script>"), "", $string);
}
but that didnt seem to fully protect agains XSS as <ScRiPt> for example would still be possible and strtolower($string) and strip_tags() are not an option.
Is there a PHP function for this usecase? Or could <strong>PHP filters</strong> (support for PHP 5.2 needed!) provide a solution here? <strong>Splitting the string is not an option, users should be allowed to further enter HTML tags</strong>, just no script-tags/javascript:
Thx
Answers (2)
Francisco Javier Carazo Gil answers:
Have a look to this PHP library http://htmlpurifier.org/
Francisco Javier Carazo Gil comments:
I have used it and it is really useful for your problem.
The basic one is this:
require_once '/path-to/HTMLPurifier.auto.php';
$config = HTMLPurifier_Config::createDefault();
$purifier = new HTMLPurifier($config);
$clean_html = $purifier->purify($dirty_html);
rmaxwell comments:
thanks, looks good, but main advantage would be that this bloats up my application by at least 1MB, which would be 20% for just a tiny function I need, so another approach would be appreciated...