Quick description
XSS是指恶意攻击者利用网站没有对用户提交数据进行转义处理或者过滤不足的缺点,进而添加一些代码,嵌入到web页面中去。使别的用户访问都会执行相应的嵌入代码。
As a result, the slightest is the insertion of garbled codes or js pop-ups or jumps in the web page display, which affects the user experience. The serious thing is to obtain the user's cookie value and steal user information.
In response to this situation, we can filter out the html tags using a function on the php side of the data submitted by the user. When using a rich text editor, such as ueditor, the editor will automatically convert the html tags entered by the user into html entities.
Special case
But there is a special situation: It is hoped that the user can edit the style of the text independently, not limited to the style provided by the rich text. At this time, the configuration file of the rich text editor will be modified so that the code entered in the html mode of the rich text editor does not convert html tags into entities; or directly use the input box. At this time, you can no longer use functions to remove tags or symbols on the php side. If you remove them, the user-defined css style will not take effect.
But if you don't remove it, users may enter some js or other codes to perform xxs attacks. At this time, you can call the third filtering tool XXS to filter the tags and attributes that may cause xxs attacks to ensure the purity of the html code.
Currently, the tags that need to be filtered are: script tag, action attribute under form,
if you don’t want to use script I want to keep some simple js functions. Xss can customize the white face list under the script.
Other thoughts will be added.