Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Ideally I want to allow users to edit HTML like tumblr does where you can edit your themes HTML in the browser. You get given also full control.
Ive heard of tools such html-purifier.
Other than ”purifying” the HTML what other steps should br taken.
Some days ago I asked a similar question which might help you.
I would store all user-generated HTML on another domain/subdomain to avoid cookie stealing and make your cookies HttpOnly, so that they cannot be accessed with JavaScript. You could set your cookies (for authentication etc.) on the main domain only without subdomains. Additionally you could use CSRF tokens to avoid automated abuse.
If you want to disallow harmful code/JavaScript you have to filter your HTML, if you do so, you should just whitelist all allowed tags, not blacklisting forbidden tags (because new ones have come with HTML5 and there are even browser-specific ones).
Another challenge is the filtering of attributes (event attributes like onclick allowing to execute JavaScript).
Another user also called my attention to the Content Security Policy which is a header (but is unfortunately only supported by a few browsers).
But it depends on how much freedom you want to give to your users.