Databases
StackOverflow2013
Postsdbo
POHow can I allow WYSIWYG editors and disable XSS attacks using Laravel?
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POHow can I allow WYSIWYG editors and disable XSS attacks using Laravel?
    text
    copied!<p>I have a enterprise level application where logged in users are authorized to post articles to page using a WYSIWYG editor. (You can consider this application as a website builder.)</p> <p>Everything works fine, but the problems are; </p> <ol> <li><p>WYSIWYG editor posts a HTML containing article, also some localised string characters which Laravel doesn't like, so Laravel's <code>alpha_num</code> check can't pass. (Therefore we don't use it on validation checks.)</p></li> <li><p>We need to allow characters like <code>&lt;</code>, <code>"</code>, <code>&gt;</code> because they may want to do some basic styling using WYSIWYG editor, so <code>htmlspecialchars()</code> is not an option while echoing/sanitizing values, because harmful things like <code>&lt;br&gt;</code>'s break.</p></li> <li><p>Users are able to post things like, <code>&lt;script type="text/javascript&gt;alert('Hello');&lt;/script&gt;</code> or <code>&lt;/div&gt;&lt;/div&gt;&lt;/div&gt;&lt;div style="width: 100%, height: 100% z-index: 999999"&gt;</code> It is a huge security risk, I know, but we can't really sanitize/escape anything. Users will still be able to write <code>&lt;s&lt;!----&gt;cript&gt;</code> and pass the check.</p></li> </ol> <p>So, in short, we can't rely some built-in Laravel and PHP functions. We can't disable WYSIWYG editor also, because it is used often in majority of areas in spoken application.</p> <p>What is the best way to avoid this?</p> <p>I'm thinking about creating a custom rule on top of <code>alpha_num</code> on Laravel, which would be called as something like <code>alpha_num_localised_characters_plus_allowed_html_tags</code> and add that rule to any input containing WYSIWYG editor.</p> <p>Is this a good way? Is there any better alternative? How do you deal with such issues yourself?</p> <p>Note: Please note we already developed a huge sized application, we'll rely on quickest and most maintainable solution.</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload