0
使用HTML Purifier 过滤HTML 防范 XSS攻击
最近使用Parsedown转换Markdown语法为HTML, 但是该包不会转义和过滤XSS, 因为Markdown语法里面只支持直接写HTML的。所以只能找其他的方法实现。
HTML Purifier 很多富文本编辑器都是使用它来过滤XSS。除了过滤恶意代码外,还支持下面的一些特性。
- 闭合HTML TAG,比如你只输入了一个
<a href="#hash">会自动给你补全为<a href="#hash"></a> - 清除不需要的标签和属性。
- 过滤iframe加载URL
- 删除无用的空TAG
使用
<?php
require_once '/path/to/HTMLPurifier.auto.php';
$config = HTMLPurifier_Config::createDefault();
$purifier = new HTMLPurifier($config);
$clean_html = $purifier->purify($dirty_html);项目地址: https://github.com/ezyang/htmlpurifier
Laravel 封装
Laravel封装的版本。更易用一些。 项目地址:https://github.com/mewebstudio/Purifier
只用像下面这样配置即可
//config/purifier.php
return [
'encoding' => 'UTF-8',
'finalize' => true,
'cachePath' => storage_path('app/purifier'),
'cacheFileMode' => 0755,
'settings' => [
'default' => [
'HTML.Doctype' => 'HTML 4.01 Transitional',
'HTML.Allowed' => 'div,b,strong,i,em,u,a[href|title],ul,ol,li,p[style],br,span[style],img[width|height|alt|src]',
'CSS.AllowedProperties' => 'font,font-size,font-weight,font-style,font-family,text-decoration,padding-left,color,background-color,text-align',
'AutoFormat.AutoParagraph' => true,
'AutoFormat.RemoveEmpty' => true,
],
'test' => [
'Attr.EnableID' => 'true',
],
"youtube" => [
"HTML.SafeIframe" => 'true',
"URI.SafeIframeRegexp" => "%^(http://|https://|//)(www.youtube.com/embed/|player.vimeo.com/video/)%",
],
'custom_definition' => [
'id' => 'html5-definitions',
'rev' => 1,
'debug' => false,
'elements' => [
// http://developers.whatwg.org/sections.html
['section', 'Block', 'Flow', 'Common'],
['nav', 'Block', 'Flow', 'Common'],
['article', 'Block', 'Flow', 'Common'],
['aside', 'Block', 'Flow', 'Common'],
['header', 'Block', 'Flow', 'Common'],
['footer', 'Block', 'Flow', 'Common'],
// Content model actually excludes several tags, not modelled here
['address', 'Block', 'Flow', 'Common'],
['hgroup', 'Block', 'Required: h1 | h2 | h3 | h4 | h5 | h6', 'Common'],
// http://developers.whatwg.org/grouping-content.html
['figure', 'Block', 'Optional: (figcaption, Flow) | (Flow, figcaption) | Flow', 'Common'],
['figcaption', 'Inline', 'Flow', 'Common'],
// http://developers.whatwg.org/the-video-element.html#the-video-element
['video', 'Block', 'Optional: (source, Flow) | (Flow, source) | Flow', 'Common', [
'src' => 'URI',
'type' => 'Text',
'width' => 'Length',
'height' => 'Length',
'poster' => 'URI',
'preload' => 'Enum#auto,metadata,none',
'controls' => 'Bool',
]],
['source', 'Block', 'Flow', 'Common', [
'src' => 'URI',
'type' => 'Text',
]],
// http://developers.whatwg.org/text-level-semantics.html
['s', 'Inline', 'Inline', 'Common'],
['var', 'Inline', 'Inline', 'Common'],
['sub', 'Inline', 'Inline', 'Common'],
['sup', 'Inline', 'Inline', 'Common'],
['mark', 'Inline', 'Inline', 'Common'],
['wbr', 'Inline', 'Empty', 'Core'],
// http://developers.whatwg.org/edits.html
['ins', 'Block', 'Flow', 'Common', ['cite' => 'URI', 'datetime' => 'CDATA']],
['del', 'Block', 'Flow', 'Common', ['cite' => 'URI', 'datetime' => 'CDATA']],
],
'attributes' => [
['iframe', 'allowfullscreen', 'Bool'],
['table', 'height', 'Text'],
['td', 'border', 'Text'],
['th', 'border', 'Text'],
['tr', 'width', 'Text'],
['tr', 'height', 'Text'],
['tr', 'border', 'Text'],
],
],
'custom_attributes' => [
['a', 'target', 'Enum#_blank,_self,_target,_top'],
],
'custom_elements' => [
['u', 'Inline', 'Inline', 'Common'],
],
],
];回复
Recommend
Recent search keywords
- m31s
- khmer
- iptv+smart+player
- JAC+8229B
- Savings+Account
- 4th+generation
- Personal+Loan+Account
- clash+tun
- Oneplus+8t
- galaxy+s24+ultra
- checking+system+health+gpt
- Indian+Rupee+Ngultrum
- Kuwaiti+Dinar
- PlayWright
- solid+state
- Slim+odan
- radio+setup
- mlc+llm
- junsun+v1+pro+c,+radio+setup
- AGGIORNAMENTO+ROM+AC8227L+-+Android+JCAC10003-OC2
- checking+system+health
- read+only
- Ergonomic+Frozen+Shirt
- unidoc+health
- tab+4
- YT9217b+firmware
- Northern+Mariana+Islands
- utunnel
- read only
- radio
- 著作權
- M3U8
- 鸿蒙
- Japan
- @@neb61
- Laptop Rental - All Major Brand Laptops For Rent in Mumbai
- yt9213aj
- galaxy s24 ultra
- alwinner
- nat geo
- AGGIORNAMENTO ROM AC8227L - Android JCAC10003-OC2
- wulu
- office
- offcie
- gospel americano
- junsun v1 pro c, radio setup
- radio setup
- AC8227L Android head unit 4gb/32gb
- K4811_NWD_S217206
- unidoc health
- 5ber
- YT9217b
- YT9217b firmware
- HW8227L
- tinystudio
- Slim odan
- Slim
- clash tun
- tun
- 国模
- 中文数据集
- 北邮人论坛十大_2024_04_18
- 北邮人论坛十大_2024_03_23
- JAC 8229B
- JCAC10003-OC2-V1.0.03B21041
- JCAC10003-OC2-V1.0.03B1
- atrust
- dallas.lu
- 知情同意的
- checking system health gpt
- checking system health
- iptv smart player
- LLM
- MLC
- mlc llm
- k4811_oh_s217101
- 8257 logo
- logo
- Oneplus 8t
- Kernel
- tab 4
- JCAC10003-OC2-V1.0.071R5-230413_0757
- SCSI
- incentivize
- Ergonomic Frozen Shirt
- Producer
- 4th generation
- parsing
- Berkshire
- Multi-tiered
- copy
- teal
- Hills
- card
- Wooden
- Northern Mariana Islands
- deliver
- syndicate
- Money Market Account
- Assurance