There is a page on the site, a piece of html code is inserted into it from an external source. For example, there is a product, and the description of the product is provided by the supplier in the form of an html description.

How can I prevent the execution of any js, etc. code from this description?


<span>Product Description</span>Inserted vendor description

At the same time, the description contains the necessary html markup, but it is the ability to execute scripts and event handlers that needs to be disabled.

You can easily remove all the markup, like strip_tags, but the markup is needed.

Most likely, there is some simple ready-made solution, but I did not find it ... It comes to mind with the help of regular expressions to remove all onclick= onchange, etc.. Maybe there are ready-made solutions or something like

<no_execute_script>Inserted vendor description

htmlentities for puff for example essence -all characters are converted into html entities like ≶ etc.

Алексей Шиманский2022-01-20 10:49:02

Aleksey Shimansky, then the html markup will be converted, and so on. It is necessary to forbid execution of the code or to remove.

ulis2022-01-20 10:50:38

Take some html parser, go through the entire element tree and remove those tags and attributes that are not included in the list of allowed ones (in theory, there should be ready-made implementations for this, but I'm too lazy to look for them)

andreymal2022-01-20 11:08:06

And yes, the values ​​of allowed attributes also need to be checked, since html allows you to write a script inside links, for example:

andreymal2022-01-20 11:09:47

andreymal, my question was just to find a simple ready-made solution to this issue. Hands to prohibit everything is difficult, as it seems to me. something must be ready, 100% I'm not the first to be puzzled by this.

ulis2022-01-20 11:11:29