Uses KSES to filter the data-in safely
The safe first principle is never needs to believe any exterior data in PHP! How effective achieves this is one of each development personnel’s difficult. Before has not used webeditor, this basically quite good processing.
But if has used webeditor, how to guarantee that the user the data, simultaneously achieves safely (for example prevents the XSS crack), indeed is the headache question.
Here I recommend one to open the source tool - - KSES. KESS only permits the user input the data format and the attribute.
For example you only allowed the input saying
<a href=”" mce_href=”">
that
<a href=” ” title=”">
will include in
KSES is useful in WP and Gregarius, is a very easy to use thing. The use is also very simple, but is only not good, does not have the useful kind to seal, possibly this also has author own reason.
Example:
<?php
$kses_allowed = array (’address’ => array (),
‘a’ => array (’href’ => array (),
‘title’ => array (),
‘rel’ => array (),
‘rev’ => array (),
‘name’ => array ()),
‘abbr’ => array (’title’ => array ()),
‘acronym’ => array (’title’ => array ()),
‘b’ => array (),
‘big’ => array (),
‘blockquote’ => array (’cite’ => array ()),
‘br’ => array (),
‘button’ => array (’disabled’ => array (),
‘name’ => array (),
‘type’ => array (),
‘value’ => array ()),
‘caption’ => array (’align’ => array ()),
‘code’ => array (),
‘col’ => array (’align’ => array (),
‘char’ => array (),
‘charoff’ => array (),
’span’ => array (),
‘valign’ => array (),
‘width’ => array ()),
‘del’ => array (’datetime’ => array ()),
‘dd’ => array (),
‘div’ => array (’align’ => array ()),
‘dl’ => array (),
‘dt’ => array (),
‘em’ => array (),
‘fieldset’ => array (),
‘font’ => array (’color’ => array (),
‘face’ => array (),
’size’ => array ()),
‘form’ => array (’action’ => array (),
‘accept’ => array (),
‘accept-charset’ => array (),
‘enctype’ => array (),
‘method’ => array (),
‘name’ => array (),
‘target’ => array ()),
‘h1′ => array (’align’ => array ()),
‘h2′ => array (’align’ => array ()),
‘h3′ => array (’align’ => array ()),
‘h4′ => array (’align’ => array ()),
‘h5′ => array (’align’ => array ()),
‘h6′ => array (’align’ => array ()),
‘hr’ => array (’align’ => array (),
‘noshade’ => array (), ’size’ => array (),
‘width’ => array ()),
‘i’ => array (),
‘img’ => array (’alt’ => array (),
‘align’ => array (),
‘border’ => array (),
‘height’ => array (),
‘hspace’ => array (),
‘longdesc’ => array (),
‘vspace’ => array (),
’src’ => array (),
‘width’ => array ()),
‘ins’ => array (’datetime’ => array (),
‘cite’ => array ()),
‘kbd’ => array (),
‘label’ => array (’for’ => array ()),
‘legend’ => array (’align’ => array ()),
‘li’ => array (),
‘p’ => array (’align’ => array ()),
‘pre’ => array (’width’ => array ()),
‘q’ => array (’cite’ => array ()),
’s’ => array (),
’strike’ => array (),
’strong’ => array (),
’sub’ => array (),
’sup’ => array (),
‘table’ => array (’align’ => array (),
‘bgcolor’ => array (),
‘border’ => array (),
‘cellpadding’ => array (),
‘cellspacing’ => array (),
‘rules’ => array (),
’summary’ => array (),
‘width’ => array ()),
‘tbody’ => array (’align’ => array (),
‘char’ => array (), ‘charoff’ => array (),
‘valign’ => array ()),
‘td’ => array (’abbr’ => array (),
‘align’ => array (),
‘axis’ => array (),
‘bgcolor’ => array (),
‘char’ => array (),
‘charoff’ => array (),
‘colspan’ => array (),
‘headers’ => array (),
‘height’ => array (),
‘nowrap’ => array (),
‘rowspan’ => array (),
’scope’ => array (),
‘valign’ => array (),
‘width’ => array ()),
‘textarea’ => array (’cols’ => array (),
‘rows’ => array (), ‘disabled’ => array (),
‘name’ => array (),
‘readonly’ => array ()),
‘tfoot’ => array (’align’ => array (),
‘char’ => array (),
‘charoff’ => array (),
‘valign’ => array ()),
‘th’ => array (’abbr’ => array (),
‘align’ => array (),
‘axis’ => array (),
‘bgcolor’ => array (),
‘char’ => array (),
‘charoff’ => array (),
‘colspan’ => array (),
‘headers’ => array (),
‘height’ => array (),
‘nowrap’ => array (),
‘rowspan’ => array (),
’scope’ => array (),
‘valign’ => array (),
‘width’ => array ()),
‘thead’ => array (’align’ => array (),
‘char’ => array (),
‘charoff’ => array (),
‘valign’ => array ()),
‘title’ => array (),
‘tr’ => array (’align’ => array (),
‘bgcolor’ => array (),
‘char’ => array (),
‘charoff’ => array (),
‘valign’ => array ()),
‘tt’ => array (),
‘u’ => array (),
‘ul’ => array (),
‘ol’ => array (),
‘var’ => array ()
);
$string=kses($string, $kses_allowed);
?>
If you enjoyed this post, please consider to leave a comment or subscribe to the feed and get future articles delivered to your feed reader.
Comments
No comments yet.
Leave a comment