Solved thread

This post is marked as solved. If you think the information contained on this thread must be part of the official documentation, please contribute submitting a pull request to its repository.

Allow HTML but prevent XSS

Hello Guys,

I just have a question about escaping HTML. I'm saving html in my database and I want to display that HTML on my website.

Well, when I display that HTML I want to escape script-tags or other dangerous html-tags (XSS). Currently I'm using the Phalcon\Escaper to escape html with $escaper->escapeHtml().

The problem is, that I want to display the html, but prevent from XSS by Script-Tags or something. Is this possible with the Phalcon\Escaper or is there a sanitize function to filter script tags ... ?

Any answer would be nice :)

Greets, Yannici



376
Accepted
answer

There is a PHP function for removing tags strip_tags but if you need a more complex sanitization use HTMLPurifier or a build a custom sanitizer with DOMDocument



2.6k

There is a PHP function for removing tags strip_tags but if you need a more complex sanitization use HTMLPurifier or a build a custom sanitizer with DOMDocument

I used HTMLPurifier to purify my html output. And it works good, thank you! :)