symfony - Escape HTML code with TWIG Markdown -

-

I'm working on a blog comment bundle and I want to let the user post some code using Markdown.
I work for Symphony 2, TUIG and Parsing 
  {{post.content | markdown}} In fact, the content is well marked by markdown pers ( & lt; code & gt;      ...) but if there is some HTML code in my content:  
  some content `` `& lt; Script & gt; Alert ("Hello World"); & Lt; / Script & gt; ``   
 The code has not been saved and I have a warning message. Could someone please tell me how can I deal with XSS issues? ( foo | raw  and  foo | escape  is particularly broken)   
 
 
 I am just a victim of this problem, but since the  strip_tags  attributes are not enough to protect values ​​in the tag, I will present my answer.  
 Open a console console that I am using to remove all unwanted HTML elements and attributes and execute the following command to install it.   Music requires $ ezyang / htmlpurifier "^ 4.6"   
 Then you can create your own twig extension:  
  Namespace AcmeBundle \ Twig; Class HTMLPurifierExtension \ twig_Extension {public function getFilters () {returning array (new \ Twig_SimpleFilter ('html_purifier', array ($ this, 'net'), array ('is_safe' => array ('html')) ($ Text) {$ element = array ('P', 'BR', 'small', 'strong', 'b', 'm', 'i', ' Strike ',' Sub ',' Super ',' In ',' Dale ',' Oh ',' Ul ',' Lee ',' H1 ',' H2 ',' H3 ',' DL ' 'DD', 'DT', 'Pre', 'Code', 'Nam', 'KBD', 'Q', 'Blockkot', 'ABRR', 'Seat', 'Table', 'Thad', 'Tebs' , 'Th', 'tr' 'td', 'a | $ Config = \ HTMLPurifier_Config :: createDefault (); $ Config- & gt; Set ('HTML.Allowed' $ filtered (',', $ element); $ Purifier = new \ HTMLPurifier ($ config); net $ net-> pure ($ text);} public function getName () {return 'html_purifier';}} < / Code>  
 Open  services.yml  and register extension as a service:  
  Services: acme.html_purifier_extension: class: AcmeBundle \ Twig \ HTMLPurifierExtension Public: Incorrect Tags: - {name: twig.extension}   
 You can now save it with  
  {{post.content} Sub Industry can | Markdown | Html_purifier}}

Comments

Post a Comment

Popular posts from this blog

php - PDO bindParam() fatal error -

-
I am trying to learn PDO, now I have written this small code, but it gives me a serious error: Fatal error: Call a member function at a non-object dot () ... $ con = new mysqli ("127.0.0.1", "root", "", "csvdangercheck"); $ Query = $ con- & gt; ("Id,` var1`, `var2`) values ​​(" id,: var1,: var2) ";); $ query- & gt; bypass pattern (': id', $ id); $ query- & gt; BindParam (': var1', $ VAL1); $ Query- & gt; bindParam (': var2', $ val2); $ Query-> Executed (); I Trying to use print_r ($ con-> errorInfo ()) but Fatal error: Undefined method mysqli :: errorInfo ( ) ... can someone tell me what am I missing? Flaffeh said, you have PDO Missing Mysqy, try it: $ con = new PDO ('mysql: host = 127.0.0.1; dbname = csvdangercheck', 'root', '');
Read more

php - How can I cram 6+31 numeric characters into 22 alphanumeric characters? -

-
I have a 6 digit number and a 31-digit number (such as "234536" and "201103231043330478311223582826") that I The API needs to be crawled in the same 22-character alphanumeric field that uses PHP. I tried to convert each one to 32 (using custom code could not handle the base_convert () large number) and to connect with a single-character delimiter, but It only gives me 26 characters This is a restore API, so the letters should be URI-protected. I would like to do a database table cross with two references without reference to another reference value, if possible, any suggestions? Instead use a radix of 62. This will give you 22 characters for the top, 3.35 for the pre and 17.3 for the next. & gt; & Gt; & Gt; Math.log (10 ** 6) /math.log (62) 3.3474826039165504 & gt; & Gt; & Gt; Math.log (10 ** 31) /math.log (62) 17.295326786902177
Read more

logging - How can I log both the Request.InputStream and Response.OutputStream traffic in my ASP.NET MVC3 Application for specific Actions? -

-
For a specific set of tasks, I need to log in to the incoming request inputstream as well as outgoing response. is. I am using an ActionFilterAttribute for this and overriding the OnActionExecuted and OnResultExecuted methods. So I'm starting with this idea ... Public category ActionLoggerAttribute: ActionFilterArrbit {Public Override Zero On-Offed Execution (ActionActioned Contact Filter Filter) {base.OnActionAxecuted (FilterContext); HttpRequestBase request = filterContext.HttpContext.Request; // TODO: Log the request. InputStream} Public Override Zero OnResultExecuted (ResultExecutedContext FilterContext) {base.OnResultExecuted (filterContext); HTTPRPSPointBase Response = FilterContacts Hpptex response; // TODO: Log on Response.OutputStream}} Ideally I'll hook it up with enterprise library logging because I'm already using it for error logging. Am I reaching the input and output stream at the right time? Can I easily use the Enterprise Library to log i...
Read more