I'm using HTML Purifier, a PHP "filter that guards against XSS and ensures standards-compliant output," to sanitize/standardize user-inputted markup.
This is an example of the user-inputted markup:
<font face="'Times New Roman', Times">TEST</font>
which generates:
<span style="font-family:"Times New Roman", Times;">TEST</span>
I'm a bit confused, because "
isn't even the escape char for a single quote. What's the best practice here since I'm going to be using this user generated content later?
- Leave as is
- Replace all
"
with\'
after purifier executes - Configure HTML Purifier differently
- Something else?