我有一个textarea,用户可以在其中输入文本,并使用Bold,Italics和Underline等选项对其进行格式化。文本格式为HTML格式。所以现在出现的问题是如何将该文本存储在数据库中。我无法直接保存HTML,因为用户可能会输入一些恶意JS,从而造成XSS漏洞。我在PHP中使用MySQL和PDO。我也受限于我不能使用库。
答案 0 :(得分:-1)
由于这些评论,我还是要指出一个像HTMLPurifier这样的好图书馆。
如果您没有以适当的方式清理输入,那么这不安全。不要重新发明轮子。 使用图书馆。
但你说:
我无法使用图书馆。
更新我的回答:
你可以做的最少的事情是限制条带标签中允许的标签并检查属性,仍然可以使用此解决方案打破你的标记,但我认为如果你允许HTML就没问题。
使用DOMDocument,您将只能使用whitelistet属性。
您可以通过将属性推送到$allowedAttributes数组来将属性列入白名单。
所以你可以简单地使用strip_tags()。 剥离标签,剥离所有html标签,但不允许使用标签,第二个条带标签是一个字符串,您可以在其中定义允许哪些标签,这样您就可以允许使用粗体,斜体,强力等等。
我仍然建议你使用一个好的库。
尝试此操作并将允许的标记添加到strip_tags():
<强>使用example.php
$html = '<h1><img style="float: right;" title="TinyMCE Logo" src="img/tlogo.png" alt="TinyMCE Logo" width="92" height="80" />Welcome to the TinyMCE editor demo!</h1>
<p>Feel free to try out the different features that are provided, please note that the <strong>MoxieManager</strong> specific functionality is part of our commercial offering. The demo is to show the integration.</p>
<h2>Got questions or need help?</h2>
<p>If you have questions or need help, feel free to visit our <a href="../forum/index.php">community forum</a>! We also offer Enterprise <a href="../enterprise/support.php">support</a> solutions. Also do not miss out on the <a href="../wiki.php">documentation</a>, its a great resource wiki for understanding how TinyMCE works and integrates.</p>
<h2>Found a bug?</h2>
<p>If you think you have found a bug, you can use the <a href="../develop/bugtracker.php">Bug Tracker</a> to report bugs to the developers.</p>
<p>And here is a simple table for you to play with.</p>
<table border="0">
<tbody>
<tr>
<td><strong>Product</strong></td>
<td><strong>Cost</strong></td>
<td><strong>Really?</strong></td>
</tr>
<tr>
<td><b onclick="alert(\'hello\');">TinyMCE</b></td>
<td>Free</td>
<td>YES!</td>
</tr>
<tr>
<td>Plupload</td>
<td>Free</td>
<td>YES!</td>
</tr>
</tbody>
</table>
<p>Enjoy our software and create great content!</p>
<p>Oh, and by the way, don\'t forget to check out our other product called <a href="http://www.plupload.com" target="_blank">Plupload</a>, your ultimate upload solution with HTML5 upload support!</p>';
$stripped = strip_tags( $html,"<p><strong><b>" );
// check for attributes
$domDocument = new DOMDocument();
$loaded = $domDocument->loadHTML( $html ); // will give some warnings on missformatted html
if( !$loaded ) {
//return some error message
}
$allowedAttributes = array(
"style",
"title",
"alt",
"widht",
"height",
"border"
// if you are allowing href, please sanitze the href i.e. check against traversal and other stuff like linking to a malicious website
);
foreach( $domDocument->getElementsByTagName( "*" ) as $element ) {
if( !( $element instanceof DOMElement ) ) continue;
if( $element->hasAttributes() ) {
$length = $element->attributes->length;
foreach( $element->attributes as $attribute ) {
if( in_array( $attribute->nodeName, $allowedAttributes ) ) continue;
$removed = $element->removeAttribute( $attribute->nodeName );
}
}
}
// not nice, but will remove the html wrapper
# remove <!DOCTYPE
$domDocument->removeChild( $domDocument->doctype );
# remove <html><body></body></html>
$domDocument->replaceChild( $domDocument->firstChild->firstChild->firstChild, $domDocument->firstChild );
$stripped = $domDocument->saveHTML();
echo $stripped;
<强>输出:
Welcome to the TinyMCE editor demo!
<p>Feel free to try out the different features that are provided, please note that the <strong>MoxieManager</strong> specific functionality is part of our commercial offering. The demo is to show the integration.</p>
Got questions or need help?
<p>If you have questions or need help, feel free to visit our community forum! We also offer Enterprise support solutions. Also do not miss out on the documentation, its a great resource wiki for understanding how TinyMCE works and integrates.</p>
Found a bug?
<p>If you think you have found a bug, you can use the Bug Tracker to report bugs to the developers.</p>
<p>And here is a simple table for you to play with.</p>
<strong>Product</strong>
<strong>Cost</strong>
<strong>Really?</strong>
<b>TinyMCE<b>
Free
YES!
Plupload
Free
YES!
<p>Enjoy our software and create great content!</p>
<p>Oh, and by the way, don't forget to check out our other product called Plupload, your ultimate upload solution with HTML5 upload support!</p>
示例文本取自TinyMCE示例页面(here)。