Really my question has more to do with the server-side scrubbing of html that's accepted via the WYSIWYG form component. Right now I'm leaning toward using htmlpurifier.org's library. I'm using php strip_tags() function elsewhere. Anyone have an advice/preferences/recommendations?
+1
A:
Don't forget to scrub out the on* attributes like <p onclick="alert('hi!');">.
This can cause some trouble.
Evan Fosmark
2009-01-19 22:28:00
+1
A:
strip_tags is very vulnerable - you might as well do nothing. HtmlPurifier is probably as good as it gets with html-cleansing. If you are really serious about security, you should probably disallow html input entirely, but I realise that's not always an option.
troelskn
2009-01-19 22:36:51
Oh, trust me, I've fought for disallowing it entirely.
codemonkey
2009-01-20 16:55:22