所以,我正在寻找基于PHP的HTML消毒/过滤解决方案.商业解决方案很好(甚至优选).目前,我们正在使用修改后的HTML净化器,但我们对结果不满意.
什么是能够过滤恶意HTML部分的好的库/工具?
很高兴有例如HTML5意识,一旦它在野外可用,这将成为一个安全的噩梦.
更新:
我们正在做一个HTML Purifier的深入配置.看起来我们以前使用的旧框架根本就没有配置它.现在结果看起来好多了
就我个人来说,HTML Purifier project的成绩非常好
它是高度可定制的,并有一个巨大的代码库.唯一的问题是将文件上传到您的服务器.
您确定您的安装没有配置问题吗?由于如果配置正确,净化器根本不应该通过任何HTML标签.
从网站:
HTML Purifier is a standards-compliant
HTML filter library written in PHP.
HTML Purifier will not only remove all
malicIoUs code (better known as
XSS) with a thoroughly audited,
secure yet permissive whitelist,it
will also make sure your documents are
standards compliant,something only
achievable with a comprehensive
knowledge of W3C’s specifications.
Tired of using BBCode due to the
current landscape of deficient or
insecure HTML filters? Have a
WYSIWYG editor but never been able to
use it? Looking for high-quality,
standards-compliant,open-source
components for that application
you’re building? HTML Purifier is for
you!
我写了一篇关于如何使用HTML purifier library with CodeIgniter的文章.
也许这将有助于再次尝试:
// load the config and overide defaults as necessary
$config = HTMLPurifier_Config::createDefault();
$config->set('HTML','Doctype','XHTML 1.0 Transitional');
$config->set('HTML','AllowedElements','a,em,blockquote,p,strong,pre,code');
$config->set('HTML','AllowedAttributes','a.href,a.title');
$config->set('HTML','TidyLevel','light');
