使用 HTMLPurifier 可以忽略指定标签内的完整 HTML
Is is possible to ignore complete HTML within specified tag using HTMLPurifier
我有一个用例,我需要存储 iframe 并且可能 javascript 在数据库中动态生成。我正在使用 HTMLPurifier 来清理输入。
是否可以在 HTMLPurifier 中忽略指定元素内的所有内容 (HTML/CSS/JS),以便清理所有内容,但保持指定元素内的所有内容完好无损?
来自Wikipedia:
CDATA sections in XHTML documents are liable to be parsed differently
by web browsers if they render the document as HTML, since HTML
parsers do not recognise the CDATA start and end markers, nor do they
recognise HTML entity references such as < within <script> tags.
This can cause rendering problems in web browsers and can lead to
cross-site scripting vulnerabilities if used to display data from
untrusted sources, since the two kinds of parser will disagree on
where the CDATA section ends.
Since it is useful to be able to use less-than signs (<) and
ampersands (&) in web page scripts, and to a lesser extent styles,
without having to remember to escape them, it is common to use CDATA
markers around the text of inline <script> and <style> elements in
XHTML documents. But so that the document can also be parsed by HTML
parsers, which do not recognise the CDATA markers, the CDATA markers
are usually commented-out
这是JavaScript示例:
<script type="text/javascript">
//<![CDATA[
document.write("<");
//]]>
</script>
这是CSS示例:
<style type="text/css">
/*<![CDATA[*/
body { background-image: url("marble.png?width=300&height=300") }
/*]]>*/
</style>
我有一个用例,我需要存储 iframe 并且可能 javascript 在数据库中动态生成。我正在使用 HTMLPurifier 来清理输入。
是否可以在 HTMLPurifier 中忽略指定元素内的所有内容 (HTML/CSS/JS),以便清理所有内容,但保持指定元素内的所有内容完好无损?
来自Wikipedia:
CDATA sections in XHTML documents are liable to be parsed differently by web browsers if they render the document as HTML, since HTML parsers do not recognise the CDATA start and end markers, nor do they recognise HTML entity references such as < within <script> tags. This can cause rendering problems in web browsers and can lead to cross-site scripting vulnerabilities if used to display data from untrusted sources, since the two kinds of parser will disagree on where the CDATA section ends.
Since it is useful to be able to use less-than signs (<) and ampersands (&) in web page scripts, and to a lesser extent styles, without having to remember to escape them, it is common to use CDATA markers around the text of inline <script> and <style> elements in XHTML documents. But so that the document can also be parsed by HTML parsers, which do not recognise the CDATA markers, the CDATA markers are usually commented-out
这是JavaScript示例:
<script type="text/javascript">
//<![CDATA[
document.write("<");
//]]>
</script>
这是CSS示例:
<style type="text/css">
/*<![CDATA[*/
body { background-image: url("marble.png?width=300&height=300") }
/*]]>*/
</style>