I’m working on a project where the public (so everyone) is allowed to insert HTML through TinyMCE for their own project page. Since everyone is allowed to use this feature, I need a 100% safe way of inserting the TinyMCE output into my database, and showing it on another page just as it was inserted by the user.
XSS, SQL injection and all that other crap is not what I want on my new website! I could do htmlentities -> htmlspecialchars and later on use htmlentities_decode, but is this 100% safe, and it is the best way of doing it?
SQL injection is in most cases easily avoided with the use of prepared statements.
XSS is more difficult if you’re planning to allow users to post HTML markup. You need to remove all
<script>tags, allon*attributes from tags, alljavascript:urls, and even then that’s probably not fully guaranteed to make the input HTML safe. There are libraries such as HTMLPurifier that can help, but so long as you allow HTML, you’re at risk of letting something malicious through.You could use a library that implements something such as markdown or wikitext instead. This severely limits what users can enter, whilst still letting them mark the content up to an extent. It’s not fullproof (people can still just post links to malicious sites and hope users click through to them,which some will be naive enough to actually do), and you’ll not be able to use a rich editor such as TinyMCE without some sort of plugin, but it’s a much simpler job to sanitize markdown than it is to sanitize HTML.