The Blog

Avoiding Xss injection without sacrifying some tags in PHP

23 Mar 12

Sooner or later I always remember I’ve a blog. This time the topic is XSS.

If you don’t have a clue of what XSS is maybe you should read this before reading this article.

I’m my day-job the content is generated by third party people. In order to be save I always thought the strip_tags function from PHP was safe enough. In my case I needed to get some html tags working without letting malicious code pass through.

Fortunately strip_tags allows, as second parameter, to specify which tags are allowed. But here is the glitch:

What happens if the variable you’d like to strip contains something like this ?

Well, since the ‘a’ tag is allowed by our strip_tags call, the malicious code gets injected.

So here is what I discovered today: “strip_tags is not safe enough.”

The next question that popped in my mind was: “How to get strip_tags safe enough without adding any external library to the project?

Well the easy solution was to strip away also html attributes ( since in my case those weren’t needed ). How to do that? This snippet of code worked ( for now ) for me.

Further readings:


  • Matteo

    bell’articolo buch, soprattutto l’immagine 😀 Mi ricordo di aver letto da qualche parte che in generale le regexp non sono abbastanza safe per sanitizzare l’html, se non erro c’è una libreria che usa un parser html per togliere gli attributi potenzialmente dannosi. Se trovo l’articolo te lo linko

  • Andrea Baccega

    Grazie matteo. Credo che nei further readings che ho inserito nel post ci siano alcune librerie.