3

I have been reading online that you should always escape data that users submit to the database by using {{...}} in Laravel 5. However, I have a website where my members use TinyMCE. I'm filtering the script and PHP tags in TinyMCE but I want to show the text formatted with HTML.

So I use the {!!...!!} Blade tag. How do forums and other websites that allow people to enter HTML stay protected from XSS? Is there any techniques I need to use in my website to decrease the chances of successful XSS attack?

halfer
  • 19,824
  • 17
  • 99
  • 186
rafiaTech
  • 433
  • 1
  • 6
  • 15
  • Instead of escaping, you must filter: http://htmlpurifier.org/. You must use a good library here - it is common for people to try to write their own "lightweight" one, but it is usually a bad idea from a sec perspective. – halfer May 09 '15 at 20:41
  • See [my answer here](http://security.stackexchange.com/a/61134/8340) for some general tips (not Laravel specific though). – SilverlightFox May 10 '15 at 07:33

2 Answers2

0

Make sure you strip out at least all script tags and remove handlers for other elements. The key is to make sure you don't allow JS to run. Another option is to serve the html from another subdomain and load it as an iframe with the sand boxing attributes set.

One more option is to instead of having them submit in HTML, use something like markdown.

Could also do with stripping out any URLs.

Kevin Nagurski
  • 1,889
  • 11
  • 24
  • 1
    Markdown on its own is not sufficient protection against XSS: https://michelf.ca/blog/2010/markdown-and-xss/ - it still needs filtering. – halfer May 09 '15 at 20:40
  • @halfer absolutely agree. – Kevin Nagurski May 09 '15 at 21:49
  • [My answer here](http://stackoverflow.com/a/21244925/413180) expands on this approach, although my approach was answering a requirement of where scripts are allowed. If not, simply remove `allow-scripts` from the sandbox attribute. – SilverlightFox May 10 '15 at 07:36
0

The key is to either whitelist or filter the user entered content heavily with a library like Html Purifier. For a short list and comparison of available html filtering libraries you can take a look at the comparison page of HTML Purifier. You may also want to read html5sec.

Whatever you do, though, don't try to write your own solution in an attempt to "extract the truly needed methods". Reinventing the wheel is always time wasted, but in this case it would probably introduce risks you cannot foresee.

Marco Kerwitz
  • 5,294
  • 2
  • 18
  • 17