PHP Prevent xss

Question

Is htmlentities best solution to prevent XSS in PHP? Also I would like to allow simple tags like b, i, a and img. What would be the best solution to implement this? I did consider bbcode but found out if not implemented properly I too will have XSS problem. What should I do? Any good third-party library is welcome.

EDIT:

I just tried HTML Purifier and it failed on this case. Just see this example

Take a look at this site [https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet](https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet) Then take a look at this site [https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet](https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet) I think those links are interesting, too: [http://code.google.com/p/owasp-esapi-php/](http://code.google.com/p/owasp-esapi-php/) and [http://code.google.com/p/owasp-esapi-js/](http://code.google.com/p/owasp-esapi-js/) — chris, Feb 07 '13 at 23:10

score 3 · Accepted Answer · answered Feb 27 '11 at 07:36

For that, I would go for the HTML Purifier, and yes you can specify your whitelist tags there too.

HTML Purifier is a standards-compliant HTML filter library written in PHP. HTML Purifier will not only remove all malicious code (better known as XSS) with a thoroughly audited,
secure yet permissive whitelist, it will also make sure your documents are standards compliant, something only achievable with a comprehensive knowledge of W3C's specifications.

I know there are certain functions in PHP language for that but I would prefer a dedicated solution instead.

score 2 · Answer 2 · answered Feb 27 '11 at 10:29

2

have a look at custom markup languages like markdown (used by stackoverflow), reStructuredText, textile or similar lightweight markup languages

answered Feb 27 '11 at 10:29

knittl

216,605
51
293
340

score 1 · Answer 3 · answered Feb 27 '11 at 11:07

Try using this code (it allows for <i>, <b> and <del>):

<?php                                                                                                                                                                            

$html = '<b>Inline <del>context <div>No block allowed <great going </div></del></b>';                                                                                          

function escapeEveryOther(&$v, $k) {                                                                                                                                           
    if($k % 2 == 0) {                                                                                                                                                          
        $v = htmlspecialchars($v);                                                                                                                                             
    }                                                                                                                                                                          
}                                                                                                                                                                              

$parts = preg_split('`(</?(?:b|i|del)>)`is', $html, -1, PREG_SPLIT_DELIM_CAPTURE);                                                                                             
array_walk($parts, 'escapeEveryOther');                                                                                                                                        

$html = implode('', $parts);

and then pass $html through HTMLPurifier to fix non matching tag openings and closings.

PHP Prevent xss

3 Answers3

Linked