I'm using HTMLPurifier to check for XSS in an entire HTML document. The problem is that it appears to strip out anyything that isn’t inside <body> tags. But, I want to keep everything, just look out for serious XSS attacks.
Any ideas how to allow <HTML>, <HEAD>, <META> etc.?
Remember that you can construct an XSS attack that runs from 'head'.
David, I just searched on the HTMLPurifier support forum and saw that you've been busy.
But perhaps you missed the posting from a few months ago that addresses your exact issue, specifically the reply:
Full document support will (ostensibly) come some time in the HTML Purifier 5.x series; we don't actually have the parsing code necessary to actually deal with full HTML documents.
Until then, you'll want to capture your head and DTD and re-add it to the purified doc.
You can tell HTML Purifier what tag the purified code will be inside (it defaults to 'div'). Setting this to 'span' would block all block-level tags. You could experiment with setting it to 'body', or even to 'html'.