FAQ Database Discussion Community

Twig: Allow HTML, but escape script

I am investigating a possible XSS attack vector for my application. What I have: FormType with a single textarea field. Normally this field can contain html tags. Twig template that renders the data inserted. I use that form to insert the following content: <b>Some valid HTML text</b> <script type="text/javascript">alert("XSS")</script> Viewing...

How sanitize and store user input, that contains HTML regex pattern in WordPress

I working on some WordPress plugin that one of its features is ability to store HTML regex pattern, entered by user, to DB and then display it on settings page. My method is actually work but I wonder if that code is secure enough: That's the user entered pattern: <div(.+?)class='sharedaddy...

How can I catch ngSantitize errors and display the html as escaped text

We are using AngularJS to try and display user entered content as HTML. Most of the time the users enter valid/safe data which we display correctly using ng-bind-html. Occasionally they enter invalid HTML which I would still like to display as the raw text. If I use ng-bind-html to attempt...