views:

156

answers:

1

Greetings,

I'm trying to prevent XSS and improper html from input fields using CKEditor (a javascript WYSIWYG editor).

How should I filter this data on the server side? The two options I'm comparing are PHP Tidy and HTML Purifier. I'm interested in speed, security, and valid nesting.

Edit:

According to HTML Purifier, Tidy does not prevent XSS. So, let me specify that I would first pass the user input through

strip_tags($input,'<img><a><li><ol><ul><b><br>'); before passing to Tidy

+1  A: 

HTML Purifier restricts the input beyond what strip_tags can. strip_tags would not strip JavaScript from the attributes of the tags you are allowing. I definitely recommend using HTML Purifier. HTML Purifier is not fast, but add/edit executions are usually less frequent than views so performance is less of an issue.

Sonny
Also, HTML Purifier is a one-stop-shop, so you don't need to pass the code to Tidy afterward.
Sonny
Just found this comparison, and it mentions `strip_tags` and Tidy. http://htmlpurifier.org/comparison
Sonny