#1
  1. A Change of Season
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Mar 2004
    Location
    Next Door
    Posts
    3,558
    Rep Power
    221

    Allowing users to add HTML blocks of code to their pages


    Hi;

    Just making a simple page builder, need to allow users to add HTML blocks.

    That includes Js and all sort of things I gotta be careful with.

    Obviously raises flags.

    They paste it in the textare.

    You know how it is.

    How can I make sure it's secure?

    At this stage all I know is when they add script before I preview I change the < and > to &gt; and &lt;

    Thanks
  2. #2
  3. Backwards Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    16,904
    Rep Power
    9646
    I would feed it into an HTML processor like Tidy, have it "clean up" the markup, then use DOM techniques to find all elements and decide what to do with them. You'll want a whitelist of HTML elements to allow, and for each a whitelist of attributes to allow (if any). It's a huge risk but possible to do correctly if you're really careful. Like with HTML Purifier.

    Assuming, of course, that not using HTML isn't an option. Because using BBCode or something would be much better.
    Last edited by requinix; May 21st, 2018 at 06:31 AM.
  4. #3
  5. A Change of Season
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Mar 2004
    Location
    Next Door
    Posts
    3,558
    Rep Power
    221
    Hi;

    This is B2B product. Biz can add their JS tracking codes etc.

    A bit strange. For example, purifying this, removes everything (obviously).

    Code:
    <div id = "countdown_timer"> <script type="text/javascript" src="https://webmoosh.com/ctb" data-launch_owner_email_hashed="94bd214b329301668349352de430bb6d" data-launch_id="64" data-lt="broadcast"></script></div>
  6. #4
  7. Banned (not really)
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 1999
    Location
    Caro, Michigan
    Posts
    14,961
    Rep Power
    4575
    Originally Posted by English Breakfast Tea
    How can I make sure it's secure?
    You can't.
    -- Cigars, whiskey and wild, wild women. --
  8. #5
  9. A Change of Season
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Mar 2004
    Location
    Next Door
    Posts
    3,558
    Rep Power
    221
    Originally Posted by Sepodati
    You can't.
    Hello;

    There are multi-million dollar companies like Ontraport and Kajabi doing it.

    There has to be a way to make this secure :-0
  10. #6
  11. Banned (not really)
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 1999
    Location
    Caro, Michigan
    Posts
    14,961
    Rep Power
    4575
    You asked "How can I make sure it's secure?" not how to allow users to add custom HTML and JS. There's a big difference and my answer still stands.

    Either you trust the user to add anything they want and accept unknown risks, or you limit the user through BB code-like interfaces.
    -- Cigars, whiskey and wild, wild women. --

IMN logo majestic logo threadwatch logo seochat tools logo