The Blog

Avoiding Xss injection without sacrifying some tags in PHP

23 Mar 12

Sooner or later I always remember I’ve a blog. This time the topic is XSS.

If you don’t have a clue ofΒ what XSS is maybe you should read this before reading this article.

I’m my day-job the content is generated by third party people. In order to be save I always thought the strip_tags function from PHP was safe enough. In my case I needed to get some html tags working without letting malicious code pass through.

Fortunately strip_tags allows, as second parameter, to specify which tags are allowed. But here is the glitch:

What happens if the variable you’d like to strip contains something like this ?

Well, since the ‘a’ tag is allowed by our strip_tags call, the malicious code gets injected.

So here is what I discovered today: “strip_tags is not safe enough.”

The next question that popped in my mind was: “How to get strip_tags safe enough without adding any external library to the project?

Well the easy solution was to strip away also html attributes ( since in my case those weren’t needed ). How to do that? This snippet of code worked ( for now ) for me.

Further readings:

Comments

  • Matteo

    bell’articolo buch, soprattutto l’immagine πŸ˜€ Mi ricordo di aver letto da qualche parte che in generale le regexp non sono abbastanza safe per sanitizzare l’html, se non erro c’Γ¨ una libreria che usa un parser html per togliere gli attributi potenzialmente dannosi. Se trovo l’articolo te lo linko

  • Andrea Baccega

    Grazie matteo. Credo che nei further readings che ho inserito nel post ci siano alcune librerie.