Are there any good PHP based HTML filters available?

Question

I am currently in a project with a PHP frontend. We\'re pretty concerned about security, because we\'ll have quite a lot of users and are an attractive target for hackers. O

Answer 1

HTML Purifier project

Personally I have had very good results with the HTML Purifier project

It is highly customizable and has a huge code base. The only issue is uploading the files to your server.

Are you sure you have not got a configuration issue with your installation? As the purifier should not let through any HTML tags at all if configured correctly.

From the web site:

HTML Purifier is a standards-compliant HTML filter library written in PHP. HTML Purifier will not only remove all malicious code (better known as XSS) with a thoroughly audited,
secure yet permissive whitelist, it will also make sure your documents are standards compliant, something only achievable with a comprehensive knowledge of W3C's specifications.
Tired of using BBCode due to the current landscape of deficient or
insecure HTML filters? Have a
WYSIWYG editor but never been able to use it? Looking for high-quality, standards-compliant, open-source components for that application you're building? HTML Purifier is for you!

I wrote an article about how to use the HTML purifier library with CodeIgniter here.

Maybe it will help with giving it another try:

// load the config and overide defaults as necessary
$config = HTMLPurifier_Config::createDefault();
$config->set('HTML', 'Doctype', 'XHTML 1.0 Transitional');
$config->set('HTML', 'AllowedElements', 'a,em,blockquote,p,strong,pre,code');
$config->set('HTML', 'AllowedAttributes', 'a.href,a.title');
$config->set('HTML', 'TidyLevel', 'light');