How can I allow WYSIWYG editors and disable XSS attacks using Laravel?
Can you run everything through strip_tags and just allow the minimum tags possible?
You may also want to look at html purifier which should give you more options including control over css
What I usually do is save two copies of the WYSIWYG content:
- the original unfiltered content
- the filtered content
This allows me to reprocess the original content if I find that something vital has been stripped out and also show the user their original html when editing. Obviously I display the filtered content wherever it is displayed on the site.
You can use a tag system similar to the BBCode or Markdown to allow your users to do certain operation. This way, you can be sure the input will be sanitized against EVERY kind of malicious script, just use a lexer and a XSS protection when displaying user content.
EDIT: To see what i mean, you can use CKEditor as your WYSIWYG editor, in conjunction with the BBCode plugin: