security - Cleaning up HTML from textarea -
I have a page with two textures where registered users can fill them with HTML code. Firstly the TinyMCE (hence the HTML has been cleared), but no one else does, because I hope the code is inserted as embed code from other sites (most of the sites which are Maps, such as Google Maps, MapMaris, etc.) Will go. But the problem is that these other sites can provide different tags, not just & lt; Embed & gt;
or & lt; Iframe & gt;
So I can not cut tags because then I can strip those tags that I did not know other sites. I will retrieve and display HTML as part of some other pages to save HTML in my database in these two textures.
Do you have any suggestions for making this setup more secure? Or should I completely reject the free input of HTML in 2 lessons? (Or .. I allow users to maintain a check box, "I accept full responsibility for the behavior of code that I am inserting" ..)
Highly appreciated your opinion Thank you
The short answer is: Free HTML is unsafe And it should be avoided. Your user has no restriction on creating an iframe that redirects the user to some harmful pages or puts ads on your page or corrupts your site.
My favorite approach to this problem allows the user to paste a link (in the text box "embed on the page" iframe not the code) then I regex to identify the adhesive link (It's YouTube, Bing Maps, ...) and I've made HTML from a pasted link, which is not very complicated for most IFrame providers. This is a lot of work for you, and it restricts the API that you can keep on your page, but it's safe.
Comments
Post a Comment