1

On my client side, I have a rich text area where the user is allowed to enter HTML. Then, how on PHP do i ensure that the PHP is safe. Is there any validation in php for checking HTML??

from safe I mean that the HTML does not contain any malicious code

Noor
  • 19,638
  • 38
  • 136
  • 254

3 Answers3

2

You'll want to sanitize your input before saving it. http://htmlpurifier.org/ does a great job and is pretty easy to implement and insanely configurable.

ChrisR
  • 14,370
  • 16
  • 70
  • 107
  • Yep, agree. HtmlPurifier has been commonly referenced as doing sanitizing best! http://ha.ckers.org/xss.html contains a very large list of possible XSS attacks. You will never be able to counter those by hand...! – Willem Mulder Dec 09 '11 at 07:48
0

You could look into HTMLPurifier http://htmlpurifier.org/, I have yet to use it but I remember seeing a screencast or two on it at www.zendcasts.com.

You could also use a Zend Framework Filter like Zend_Filter_StripTags.

John
  • 465
  • 1
  • 4
  • 17
0

You could strip the tags that are not allowed, using strip_tags();

<?php
$allow = '<p><ul><li><b><strong>'; // Just an example
$input = strip_tags($input,$allowedtags);
?>

Other than that it's adviced to use mysql_real_escape_string($input) or better yet, use: Is this a safe way to filter data and prevent SQL-injection and other attacks?

Community
  • 1
  • 1
mat
  • 1,619
  • 1
  • 15
  • 25
  • you should point out clearly that html filtering and sql escaping are different countermeasures for different attack vendors: SQL injection (which breaks your DB) vs PHP/HTML injection (which breaks your application / website) – Kaii Dec 09 '11 at 08:38
  • Agreed, it are two different things. But since the TS spoke about "malicious code" i thought i'd add it. – mat Dec 09 '11 at 10:23