PHP / Nunjucks webmail prevent XSS preserve layout

Asked Feb 04 '20 at 14:05

Active Feb 04 '20 at 14:23

Viewed 95 times

I'm currently coding a webmail with PHP and Nunjucks for templating.

I want to be able to display raw text (It's OK for that) and HTML mail.

But I want to be protected against XSS attacks. So I thought to use htmlspecialchars, but I want to allow display HTML layout and in-mail css.

In my case htmlspecialchars is to hard :

<?php
echo htmlspecialchars("<b>Bold</b>");
// Gives : &lt;b&gt;Bold&lt;/b&gt;
echo htmlspecialchars("<table><tr><td>col1</td><td>col2</td></tr></table>");
// Gives : &lt;table&gt;&lt;tr&gt;&lt;td&gt;col1&lt;/td&gt;&lt;td&gt;col2&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;

I know that Nunjucks allow me to define a string displayed like safe or unsafe, but I can't configure that.

The solution can be in JS (Nunjucks or vanillaJS) or in PHP, I don't care about that.

Is there a way to be protected against XSS (disallow JS execution in an element or in a string displayed) while displaying correctly HTML mails ?

No duplicated question explanation

I explain why it's not a duplicated question : I want sanitize display HTML tags, not all tags. And If it could be a secured solution against encoding attack or src attribute of img tag attack.

edited Feb 04 '20 at 14:23

asked Feb 04 '20 at 14:05

Samuel Dauzon

10,744
13
61
94

Thanks for comment, but I want a robust solution (regex based solution are weak, with encoding string in particular). – Samuel Dauzon Feb 04 '20 at 14:16
https://www.php.net/manual/en/function.strip-tags.php – delboy1978uk Feb 04 '20 at 15:10
Thanks but it doesn't preserve layout :'( – Samuel Dauzon Feb 04 '20 at 15:58

PHP / Nunjucks webmail prevent XSS preserve layout

No duplicated question explanation

0 Answers0