Avoid XSS attacks when storing HTML

Question

Avoid XSS attacks when storing HTML

My site stores HTML that is generated by the user. Then, of course, this data is displayed on the web page. What are the best methods for smoothing HTML and avoiding XSS attacks? Does the tag remove <script>and <iframe>? Will it cover all browsers? I heard about old browsers displaying HTML from weird encoding ... how can I handle this?

I would like to get a general answer that does not apply to any languages or technologies.

+3

javascript html xss

Luca matteis Jun 14 '11 at 14:41

source share

4 answers

.
& ; → </; ;
↔ </; ;
> → </; GT;
" > "
‘ → '
/- > /

0

Didozavar 14 . '11 14:43

, , . , html , , . , markdown BBcode . , StackOverflow .

, , 10 000 -.

0

Jeff 14 . '11 17:54

You’re lost when you allow your user to install HTML on their page, there are many features like onmouseover "myEvilJS" or

0

Andreas Köberle Jun 14 '11 at 18:54

source share

Tim Büthe · Accepted Answer · 2011-06-14T14:44:53+0000

You can use libraries like Jsoup , especially their whitelist-sanitizer , to prevent XSS.

, , aproach , . , HTML . , markdown.

Avoid XSS attacks when storing HTML

More articles: