Filter custom html for malicious code

Forum Moderators: coopster

Message Too Old, No Replies

Filter custom html for malicious code

test1

7:44 pm on Jul 9, 2008 (gmt 0)

I have a tool that allows people to build their own web pages that are hosted on the site. I want to add a tool to allow users to add custom html to the page but I'm worried about malicious code that some might enter. Does anyone have any advice or know of any good articles about filtering for this sort of thing while still allowing them to import code?

eelixduppy

8:47 pm on Jul 9, 2008 (gmt 0)

Generally not the safest thing to do, however, what you really need to watch for is javascript, or anything that javascript can be put into. XSS would be a big issue here, and that's the one thing I'd worry about. PHP has a strip_tags [php.net] function but I wouldn't just rely on this. You are probably going to want to run other string functions for this to check for any unwanted code. Even with doing what you can to avoid XSS, it is still probable that it can occur.