PHP XSS Prevention WhiteListing

Posted by pws5068 on Stack Overflow See other posts from Stack Overflow or by pws5068
Published on 2010-06-07T19:57:41Z Indexed on 2010/06/07 20:02 UTC
Read the original article Hit count: 381

Filed under:

php

|

validation

|

xss

|

wysiwyg

|

cross-site-scripting

My site utilizes a WYSIWYG editor for users to update their accounts,enter comments, and send private messages.

The editor (CKEditor) is great for only allowing users to enter valid input, but I worry about injection through TamperData or other means.

How can I control this on the server side?

I need to whitelist specific tags: <b><ul><ol><a><img><br>, will this be a SAFE approach to preventing XSS?

© Stack Overflow or respective owner

Related posts about php

Magento, NGINX, PHP-FPM, APC, MEMCACHED, 16gb Ram CentOS, Spiking PHP-FPM to 100% CPU

as seen on Server Fault - Search for 'Server Fault'
I have been trying to resolve my issue of spiking cpu caused by php-fpm processes. I've reduced the php-fpm config settings to: pm = ondemand pm.max_children = 12 pm.start_servers = 2 pm.min_spare_servers = 2 pm.max_spare_servers = 10 pm.max_requests = 500 php_admin_value[memory_limit] = 128M Problem… >>> More
PHP Pear Installation on CentOS

as seen on Server Fault - Search for 'Server Fault'
[root@ip ~]# yum install php-pear* Reducing CentOS-5 Testing to included packages only Finished Setting up Install Process Package 1:php-pear-1.8.1-2.el5.centos.noarch already installed and latest versio … >>> More
Apache configurations for php "AddType text/html php" or "AddType application/x-httpd-php php .php"

as seen on Server Fault - Search for 'Server Fault'
I am taking over an application server and discover that it contain the following settings: AddType text/html php Although it works, but my understanding is that it should set as following: AddType application/x-httpd-php php .php What are the key differences between the two settings?… >>> More
mod_rewrite settings causes server to throw HTTP 500 errors instead of 404

as seen on Server Fault - Search for 'Server Fault'
Hello. I have a server with VBulletin forum (working under Apache 2.2, CentOS). The default settings for it in .htaccess are as follows: RewriteEngine on RewriteCond %{HTTP_HOST} ^gsmforum\.ru RewriteRule (.*) http://www.gsmforum.ru/$1 [R=301,L] # If you are having problems or are using VirtualDocumentRoot… >>> More
Problems installing Memcache (PECL extension)

as seen on Server Fault - Search for 'Server Fault'
I have installed memcached fine, and now I will need to install PECL extension memcache. Im running RedHat x86_64 es5. The installation gives me this: downloading memcache-2.2.6.tgz ... Starting to download memcache-2.2.6.tgz (35,957 bytes) ..........done: 35,957 bytes 11 source files, building running:… >>> More

Related posts about validation

How can I use Windows Workflow for validation of a Silverlight application?

as seen on Programmers - Search for 'Programmers'
I want to use Windows Workflow to provide a validation service. The validation that will be provided may have multiple tiers with chaining and redirecting to other stages of validation. The application that will generate the data for validation is a Silverlight app. I imagine the validation will… >>> More
HTML5 Form Validation

as seen on Stephen Walter - Search for 'Stephen Walter'
The latest versions of Google Chrome (16+), Mozilla Firefox (8+), and Internet Explorer (10+) all support HTML5 client-side validation. It is time to take HTML5 validation seriously. The purpose of the blog post is to describe how you can take advantage of HTML5 client-side validation regardless of… >>> More
HTML5 Form Validation

as seen on Stephen Walter - Search for 'Stephen Walter'
The latest versions of Google Chrome (16+), Mozilla Firefox (8+), and Internet Explorer (10+) all support HTML5 client-side validation. It is time to take HTML5 validation seriously. The purpose of the blog post is to describe how you can take advantage of HTML5 client-side validation regardless of… >>> More
Introducing Data Annotations Extensions

as seen on ASP.net Weblogs - Search for 'ASP.net Weblogs'
Validation of user input is integral to building a modern web application, and ASP.NET MVC offers us a way to enforce business rules on both the client and server using Model Validation. The recent release of ASP.NET MVC 3 has improved these offerings on the client side by introducing an unobtrusive… >>> More
jQuery validation per multiple fieldsets, how to use different event to trigger validation per secti

as seen on Stack Overflow - Search for 'Stack Overflow'
Hi All! I have a really, really long form (about 300 fields) that I broke down into different sections using this slick jQuery plugin Form Wizard. If you group your form into different fieldsets, the FormWizard will automagically display one section at a time, with a Next hyperlink to take you to… >>> More