Baccega Andrea Blog

The future is web3.0

Posted on by veke87


Sooner or later I always remember I've a blog. This time the topic is XSS.

If you don't have a clue of what XSS is maybe you should read this before reading this article.

I'm my day-job the content is generated by third party people. In order to be save I always thought the strip_tags function from PHP was safe enough. In my case I needed to get some html tags working without letting malicious code pass through.

Fortunately strip_tags allows, as second parameter, to specify which tags are allowed. But here is the glitch:

Could not embed GitHub Gist 2509477: API rate limit exceeded for 144.76.64.231. (But here's the good news: Authenticated requests get a higher rate limit. Check out the documentation for more details.)

What happens if the variable you'd like to strip contains something like this ?

Could not embed GitHub Gist 2509477: API rate limit exceeded for 144.76.64.231. (But here's the good news: Authenticated requests get a higher rate limit. Check out the documentation for more details.)

Well, since the 'a' tag is allowed by our strip_tags call, the malicious code gets injected.

So here is what I discovered today: "strip_tags is not safe enough."

The next question that popped in my mind was: "How to get strip_tags safe enough without adding any external library to the project?"

Well the easy solution was to strip away also html attributes ( since in my case those weren't needed ). How to do that? This snippet of code worked ( for now ) for me.

Could not embed GitHub Gist 2509477: API rate limit exceeded for 144.76.64.231. (But here's the good news: Authenticated requests get a higher rate limit. Check out the documentation for more details.)

Further readings:

Posted on by veke87 | Posted in Development | Tagged , , ,


  • Matteo

    bell’articolo buch, soprattutto l’immagine :D Mi ricordo di aver letto da qualche parte che in generale le regexp non sono abbastanza safe per sanitizzare l’html, se non erro c’è una libreria che usa un parser html per togliere gli attributi potenzialmente dannosi. Se trovo l’articolo te lo linko

  • Andrea Baccega

    Grazie matteo. Credo che nei further readings che ho inserito nel post ci siano alcune librerie.