1

I apologize if a question like this has already been asked. I couldn't find one.

So basically, I am using ckeditor(the basic version) and laravel 5.1. I had no problem implementing it, I am just ultra paranoid about validating the information server side. I am using the blade template engine. In my view, when rendering the data, I am doing something like {!! $something->info !!}, not {{ $something->info }}, because I expect html tags such as <a></a>, <b></b>, etc.

Well what happens if a user types something like <script>alert(1)</script> or even worse ...

All in all, I am asking whether you can share some good practices, maybe using a function where I can say which tags are allowed...

festiv
  • 371
  • 4
  • 17
  • 1
    Best practice is to never trust user. If you're displaying the user input without processing than you need to stick with {{ }} in your blade template. – Can Celik Feb 17 '16 at 20:27
  • That's what I am asking. How can I process it in a good way, so that the user can still modify the content he/ she is adding with different tags and styling and I can sleep tight without worrying about someone being able to hack my website? – festiv Feb 17 '16 at 20:35
  • 1
    well, you had to search with [sanitizing html input](http://stackoverflow.com/questions/9853239/how-do-i-filter-out-dangerous-html-like-so-does) as keywords. hope it give you insight - especially the libraries they suggested. and, look at this [L5 Html Purifier](https://github.com/mewebstudio/Purifier) if you're too lazy to google the Laravel-based library. – Bagus Tesa Feb 19 '16 at 02:07

0 Answers0