Sanitize All Scripts From Html String
Solution 1:
You could use a sanitizer like Google Caja to remove malicious JavaScript - you could even use it to strip all JavaScript content if desired.
However, I question your goals. Is your aim to prevent self-XSS? Unless you output the HTML somewhere, there is no danger to the user. If you output the HTML to the same user and there are other methods of entering the content other than paste, then you should make sure you protect the page against CSRF. This would stop an attacker inserting their own malicious JavaScript under the authorisation of the current user.
If you output the HTML to other users, you may wish to sanitize the content server side. If HTML content isn't allowed at all then you should HTML encode when output so a <script> tag will display as <script> in the browser rather than being interpreted as a code block by the browser.
If you need to output HTML, but without scripts you should sanitize it server side and you should also implement a Content Security Policy. With the correct policy you can prevent inline scripts from running at all in modern browsers. The CSP will prevent any future bugs found in your chosen sanitizer from posing a threat to the user. Supported browsers are detailed here.
You mention that you want to support styles - note that CSS stylesheets can also contain code. This is an Internet Explorer supported concept (and old versions of FireFox). However, your CSP should prevent this if you disallow inline styles.
Solution 2:
If the user is uploading it for other's to view, you should use a PHP setup with a white list of approved tags, and prevent them from uploading JavaScript, otherwise they could edit it anyway and the script becomes useless. If they aren't uploading for others to see, you needn't do anything because they are only going to harm themselves.
Post a Comment for "Sanitize All Scripts From Html String"