FAQ Database Discussion Community


Twig: Allow HTML, but escape script

symfony2,twig,html-sanitizing
I am investigating a possible XSS attack vector for my application. What I have: FormType with a single textarea field. Normally this field can contain html tags. Twig template that renders the data inserted. I use that form to insert the following content: <b>Some valid HTML text</b> <script type="text/javascript">alert("XSS")</script> Viewing...

How sanitize and store user input, that contains HTML regex pattern in WordPress

php,html,wordpress,security,html-sanitizing
I working on some WordPress plugin that one of its features is ability to store HTML regex pattern, entered by user, to DB and then display it on settings page. My method is actually work but I wonder if that code is secure enough: That's the user entered pattern: <div(.+?)class='sharedaddy...

How can I catch ngSantitize errors and display the html as escaped text

html,angularjs,sanitization,html-sanitizing
We are using AngularJS to try and display user entered content as HTML. Most of the time the users enter valid/safe data which we display correctly using ng-bind-html. Occasionally they enter invalid HTML which I would still like to display as the raw text. If I use ng-bind-html to attempt...