Skip to content
Advertisement

How to store user content while avoiding XSS vulnerabilities

I know similar questions have been asked but I am struggling to work out how to do it.

I am building a CMS, rather primitive right now, but it’s as a learning exercise; in a production site, I would use an existing solution for sure.

I would like to take user input, which can be styled in a WYSIWYG editor. I would also like them to be able to insert images inline.

I understand I can store HTML in the database but how can I safely re-render this. I know there is no problem with the HTML being stored but it is my understanding that XSS become an issue if I were to just simply dump the user-generated code onto a layout template.

So the question put simply, is how can I store and safely rerender user content in cms? I am using Laravel and PHP. I also have a little knowledge of javascript if its required.

Advertisement

Answer

For a CMS where you want to allow some tags but not others, then you want something like HTML Purifier. This will take HTML and run it against a whitelist and regenerate HTML that is safe to display back to the user.

User contributions licensed under: CC BY-SA
9 People found this is helpful
Advertisement