Hackszine.com: Stop XSS attacks with SafeHTML

Stop XSS attacks with SafeHTML

If you allow user-contributed content in your site, you run into the problem of dealing with user supplied HTML in a safe manner. The most secure way of dealing with things, of course, is to strip or escape all HTML from user input fields. Unfortunately, there are many situations where it would be nice to allow a large subset of HTML input, but block out anything potentially dangerous.

SafeHTML is a lightweight PHP user input sanitizer that does just that. Just run any input field through the SafeHTML filter and any javascript, object tags, or layout breaking tags will be stripped from the supplied text. It also does a reasonable job of correcting any gnarly, malformed code, which is also a common problem with user-contributed data.

Using it is easy. Just instantiate the SafeHTML object and call its parse method:

require_once('classes/safehtml.php'); $safehtml =& new SafeHTML();
if ( isset( $_POST["inputfield"] ) ) { $inputfield=$_POST["inputfield"]; $cleaninput = $safehtml->parse($inputfield); }

This will take the posted "inputfield" parameter, strip any baddies, XHTMLify what's left, and the result will be stored in the $cleaninput variable. It's a simple addition to your code, and a lot more straightforward than trying to roll your own.

My only beef with the package is that it's written with a default allow policy, stripping out tags that are in its deleteTags array, but essentially allowing anything else through. If you'd rather only let through tags that you specifically want to allow, I'd recommend adding an allowTags array and adjusting the _openHandler method, adding the following after the deleteTags check:

if ( ! in_array($name, $this->allowTags)) { return true; }

You'll need to fill allowTags with everything you know to be safe and welcome, and you may miss a few that people will end up wanting to legitimately use, but this is easily corrected and the default deny policy is much safer in the long run.

SafeHTML - an anti-XSS HTML parser, written in PHP

Posted by Jason Striegel | Apr 29, 2008 08:49 PM
Network Security, PHP, Web | Permalink | Comments (4)

Comments

Newest comments listed first.

Posted by: the_angry_angel on April 30, 2008 at 2:44 PM

HTML_Safe/SafeHTML

Whilst HTMLSafe is a good library, I'm actually in the process of moving an internal project that I develop at work from HTMLSafe to HTMLPurifier.

HTMLSafe is perfectly fine with the current set of tags and so forth, but should HTML get extended in the future the blocklist that it currently ships with could be an issue.

My reasoning being that I'm not always going to be a round - I could run over a bus tomorrow, and despite HTMLPurifier being slower, it might be safer in the long run.

Posted by: astewart on May 1, 2008 at 12:01 AM

htmLawed

a safe_html alternate - htmlawed
fantastic, superfast
bioinformatics.org/phplabware/internal_utilities/htmLawed/index.php

Posted by: Eric Monti on May 6, 2008 at 12:17 PM

HTML tidy

Good ole HTML tidy has been used this way too:
http://tidy.sourceforge.net/

Posted by: SnowLeopard on May 8, 2008 at 12:26 AM

Extra Safe

Sometimes it's possible to fool filters like this easily.

I used:

if ( isset( $_POST["inputfield"] ) )
{
$inputfield = $_POST["inputfield"];
$cleaninput = $safehtml->parse($inputfield);
while ( $inputfield != $cleaninput )
{
$inputfield = $cleaninput;
$cleaninput = $safehtml->parse($inputfield);
}
}