Allow HTML but prevent XSS

Question

Allow HTML but prevent XSS

Yannici Feb '15

Created Feb '15	Last Reply Feb '15	Replies 1	Views 1691	Votes 0

Yannici 4.5k

Feb '15

Hello Guys,

I just have a question about escaping HTML. I'm saving html in my database and I want to display that HTML on my website.

Well, when I display that HTML I want to escape script-tags or other dangerous html-tags (XSS). Currently I'm using the Phalcon\Escaper to escape html with $escaper->escapeHtml().

The problem is, that I want to display the html, but prevent from XSS by Script-Tags or something. Is this possible with the Phalcon\Escaper or is there a sanitize function to filter script tags ... ?

Any answer would be nice :)

Greets, Yannici

Óscar Enríquez
376

Accepted
answer

Feb '15

There is a PHP function for removing tags strip_tags but if you need a more complex sanitization use HTMLPurifier or a build a custom sanitizer with DOMDocument

Yannici · Answer 1 · 2015-02-27T07:06:44-07:00

There is a PHP function for removing tags strip_tags but if you need a more complex sanitization use HTMLPurifier or a build a custom sanitizer with DOMDocument

I used HTMLPurifier to purify my html output. And it works good, thank you! :)