Wednesday, May 30, 2018

How to reduce risk of XSS while allowing html tags

1. Allow a limited set of HTML tags:

  'a'
  'em'
  'strong'
  'cite'
  'code'
  'ul'
  'ol'
  'li'
  'dl'
  'dt'
  'dd'

Refer to the way that Drupal does -  https://api.drupal.org/api/drupal/modules%21filter%21filter.module/function/filter_xss/6.x



2. Remove all script event handlers (onload/onerror/on[a-z]{1,10}=) and src based payload (src=javascript:alert()when storing product information.


on[a-z]{1,10}=

javascript:

data:

No comments:

Post a Comment

secure configurations for Laravel - The PHP Framework

This framework is makes security simple to achieve.  Out of all non-default settings, the little following can be set to achieve higher secu...