0

Is there an easy way to remove with php any type of event HTML in php string. For example for events submit,mouseOut,mouseOver,click,blur,focus,etc. to prevent javascript injection, for cases like these: is There an easy way to remove with php any type of event HTML in php srtring. For example for events submit,mouseOut,mouseOver,click,blur,focus,etc. to prevent javascript injection, for cases like these:

$text= 'mi secure html <div id="javascript_injection" onfocus=function(){SomeJavaScriptCode}></div> <p> Im interested in showing the resulting html </p>'

echo $text = 'mi secure html <div id="javascript_injection" > example </div> <b> Im interested in showing the resulting html </b>

I'm also interested in showing this: 

'mi secure html <div id="javascript_injection" > example </div> <b> Im interested in showing the resulting html </b>

PD:I can not escape all the text or remove all tags because there are parts that if I want to show in html.Imagine you want to show a user creates html to another and want to avoid the injection of javascript

Improve this question
9
  • What is this supposed to be? PHP? JavaScript? HTML? Commented Jan 22, 2013 at 12:16
  • If your code can be "hacked" through javascript, then you better change the code... Commented Jan 22, 2013 at 12:17
  • Im sorry,I was editing when you answered the question, It just republish Pay attention to the bold. Commented Jan 22, 2013 at 12:25
  • 1
    If you want to allow img elements, you should check src (and other non-obvious constructs) as well, as it may contain JavaScript. There are many other edge cases as well. See XSS cheat sheet. As Wayne Whitty already said, where is this text coming from? Commented Jan 22, 2013 at 12:32
  • 1
    @MarcelKorpel A DOMDocument based solution should work just fine though, unless I'm missing something obvious. Commented Jan 22, 2013 at 12:44

1 Answer 1

Reset to default
4

The best way to solve this kind of problem is through whitelisting instead of blacklisting. The idea is that you define what tags / attributes you allow, instead of trying to filter out bad things.

A good library that handles this is http://htmlpurifier.org/. You can customize it to make it allow the things you want to keep.

require_once '/path/to/HTMLPurifier.auto.php';

$dirty_html = '<a href="test.html" onclick="alert()">Test</a>'

$config = HTMLPurifier_Config::createDefault();
$purifier = new HTMLPurifier($config);
$clean_html = $purifier->purify($dirty_html);

echo $clean_html

Output:

<a href="test.html">Test</a>
Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Looks great, but does it disallow <img src="javascript:alert(0)">?
There is a demo page to test: htmlpurifier.org/demo.php (It filters out the entire tag)
I'm not going to manually test every edge case, but it does a pretty good job indeed.
Here is a list with tests: htmlpurifier.org/live/smoketests/xssAttacks.php

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.