Gio*_*rje 17 css php sanitization
我想允许用户在我的论坛上使用他们自己的样式表来查找我的个人资料,但我担心可能存在安全漏洞.有没有人有任何消毒CSS的技巧?
基本流程:用户将CSS输入表单 - >保存到DB - >输出为内联CSS
dle*_*itt 19
带有CSSTidy的HTMLPurifier 可以满足您的需求.
HTMLPurifier主要用于清理HTML,但也可以选择使用CSSTidy提取样式块.
HTMLPurifier文档中有一个示例(但是,我已经用完了每个帖子的两个链接.)
这是另一个:
require_once './htmlpurifier/library/HTMLPurifier.auto.php';
require_once './csstidy/class.csstidy.php';
// define some css
$input_css = "
body {
margin: 0px;
padding: 0px;
/* JS injection */
background-image: url(javascript:alert('Injected'));
}
a {
color: #ccc;
text-decoration: none;
/* dangerous proprietary IE attribute */
behavior:url(hilite.htc);
/* dangerous proprietary FF attribute */
-moz-binding: url('http://virus.com/htmlBindings.xml');
}
.banner {
/* absolute position can be used for phishing */
position: absolute;
top: 0px;
left: 0px;
}
";
// Create a new configuration object
$config = HTMLPurifier_Config::createDefault();
$config->set('Filter.ExtractStyleBlocks', TRUE);
// Create a new purifier instance
$purifier = new HTMLPurifier($config);
// Turn off strict warnings (CSSTidy throws some warnings on PHP 5.2+)
$level = error_reporting(E_ALL & ~E_STRICT);
// Wrap our CSS in style tags and pass to purifier.
// we're not actually interested in the html response though
$html = $purifier->purify('<style>'.$input_css.'</style>');
// Revert error reporting
error_reporting($level);
// The "style" blocks are stored seperately
$output_css = $purifier->context->get('StyleBlocks');
// Get the first style block
echo $output_css[0];
输出是:
body {
margin:0;
padding:0;
}
a {
color:#ccc;
text-decoration:none;
}
.banner {
}
| 归档时间: |
|
| 查看次数: |
5212 次 |
| 最近记录: |