• Home
  • Our Content Policy
Our Content Policy
by admin 2 2 9 years, 2 months ago

I’m looking for best practices for performing strict (whitelist) validation/filtering of user-submitted HTML.

Main purpose is to filter out XSS and similar nasties that may be entered via web forms. Secondary purpose is to limit breakage of HTML content entered by non-technical users e.g. via WYSIWYG editor that has an HTML view.

I’m considering using HTML Purifier, or rolling my own by using an HTML DOM parser to go through a process like HTML(dirty)->DOM(dirty)->filter->DOM(clean)->HTML(clean).

Can you describe successes with these or any easier strategies that are also effective? Any pitfalls to watch out for?

2 ANSWERS

February 16, 2017 at 10:21 am admin

I used HTML Purifier with success and haven’t had any xss or other unwanted input filter through. I also run the sanitize HTML through the Tidy extension to make sure it validates as well.

February 16, 2017 at 10:22 am admin

I’ve tested all exploits I know on HTML Purifier and it did very well. It filters not only HTML, but also CSS and URLs.

Once you narrow elements and attributes to innocent ones, the pitfalls are in attribute content – javascript: pseudo-URLs (IE allows tab characters in protocol name – java script: still works) and CSS properties that trigger JS.

Parsing of URLs may be tricky, e.g. these are valid: http://spoof.com:xxx@evil.com or //evil.com. Internationalized domains (IDN) can be written in two ways – Unicode and punycode.

Go with HTML Purifier – it has most of these worked out. If you just want to fix broken HTML, then use HTML Tidy (it’s available as PHP extension).

Viewing 2 replies - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.

Forums

Some of our services that will useful on regular basis:

Book Tours & Activities

Access to a thousands of activaties in Costa Rica. Everything from Adventure, Arts and Recreational Activities.

Tranportation Bookings

Booking your trasfers has never been easier. Look up available destications, times and get instant confirmation with just a few clicks.

Investments

Great resource for those who are looking for business and investment opportunities for residential and commercial real estate.

Online Shopping

Shop Online for Costa Rica made products and services. Find Unique and one of kind items.

Services Bookings

Make reservation at your favorite locations and events.

Hotel Bookings

Get access to all the hotels in Costa Rica. Check availability and book

Vacation Rentals

Search all the available vacation home rentals in Costa Rica.

Book A Table

We make it easy for you to make a reservation with your favorite place.

Order Food

Place your oder online and have your food deliver to your location. Restritions apply.

Flight Booking

Look for best deals and book your flights with us.

Rent A Car

Quick, easy online car reservations for Costa Rica.

Bank / ATM

Locate Bank and ATM information

Doctors Appointment

Schedule your appointmens directly with our participating providers.

Spa & Salon

Book your spa and salon treatments directly with our participating providers.

Offers | Promotions | Hot Deals

Explore best offers, promotions and hot deals with AskZipy.

On Demand Services

Book your on damand services directly with our participating providers.

Jobs

Looking for work, search our site to find business who are looking for talent to join their teams.

Photo Album

View photos form all the Ask Zipy adventures and activaties.

Emergency Services

Locate Emergency services locations and contact information.

FAQ

Search our list of faqs to the most common questions people have when visiting and working in Costa Rica.

Order Groceries

Shopping for groceries has never been easier. order your groceries and have them delivered to your location.