htmlpurifier

I would appreciate an answer to settle a disagreement between me and some co-workers. We have a typical PHP / LAMP web application. The only input we want from users is plain text. We do not invite or want users to enter HTML at any point. Form elements are mostly basic input text tags. There might be a few textareas, checkboxes etc. There is currently no sanitizing of output to pages. All dynamic content, some of which came from user input, is simply echoed to the page. We obviously need to make it safe. My solution is to use htmlspecialchars on all output at the time it is echoed on the page

I'm trying to allow some data-attribute with htmlPurifier for all my span but no way... I have this string: <p> <span data-time-start="1" data-time-end="5" id="5"> <word class="word">My</word> <word class="word">Name</word> </span> <span data-time-start="6" data-time-end="15" id="88"> <word class="word">Is</word> <word class="word">Zooboo</word> </span> <p> My htmlpurifier config: $this->HTMLpurifierConfigInverseTransform = \HTMLPurifier_Config::createDefault(); $this->HTMLpurifierConfigInverseTransform->set('HTML.Allowed', 'span,u,strong,em'); $this->HTMLpurifierConfigInverseTransform->set(

Is it possible to have htmlpurifier use the html5 doctype? The documentation here states that you can change the doctype and encoding with the following: <?php require_once '/path/to/htmlpurifier/library/HTMLPurifier.auto.php'; $config = HTMLPurifier_Config::createDefault(); $config->set('Core', 'Encoding', 'ISO-8859-1'); // replace with your encoding $config->set('HTML', 'Doctype', 'HTML 4.01 Transitional'); // replace with your doctype $purifier = new HTMLPurifier($config); $clean_html = $purifier->purify($dirty_html); ?> but then in the install instructions here states that the supported

I am using HTML Purifier to protect my application from XSS attacks. Currently I am purifying content from WYSIWYG editors because that is the only place where users are allowed to use XHTML markup. My question is, should I use HTML Purifier also on username and password in a login authentication system (or on input fields of sign up page such as email, name, address etc)? Is there a chance of XSS attack there? You should Purify anything that will ever possibly be displayed on a page. Because with XSS attacks, hackers put in <script> tags or other malicious tags that can link to other sites.

My idea is to somehow minify HTML code in server-side, so client receive less bytes. What do I mean with "minify"? Not zipping. More like, for example, jQuery creators do with .min .js versions. In other words, I need to remove unnecessary white-spaces and new-lines, but I can't remove so much that presentation of HTML changes (for example remove white-space between actual words in paragraph). Is there any tools that can do it? I know there is HtmlPurifier . Is it able to do it? Any other options? P.S. Please don't offer regex'ies. I know that only Chuck Norris can parse HTML with them. =] You

I'm having an issue with using the HTMLPurifier php library. I'm using a WYSIWYG editor named 'Summernote' for all text areas on my application. When writing something inside sommernote like: <script>alert('test');</script> The post data comes through as <p><script>alert('test');</script></p> However, once this is ran through the HTMLPurifier, it doesn't remove the script tags that are converted into regular characters. So when I go to edit this text inside summernote, it actually runs the script! Here's an image of what is processed into the editor: And here is how it's stored inside the

How can I use HTMLPurifier to filter xss but also to allow iframe Vimeo and Youtube video? require_once 'htmlpurifier/library/HTMLPurifier.auto.php'; $config = HTMLPurifier_Config::createDefault(); $config->set('HTML.Trusted', true); $config->set('Filter.YouTube', true); $config->set('HTML.DefinitionID', '1'); $config->set('HTML.SafeObject', 'true'); $config->set('Output.FlashCompat', 'true'); $config->set('HTML.FlashAllowFullScreen', 'true'); $purifier = new HTMLPurifier($config); $temp = $purifier->purify($temp); HTMLPurifier version 4.4.0 has new configuration directives to allow YouTube