I came accross this thread in our PHP forum, HTML Purifier. It’s supposed to be better than HTML Tidy so i checked it out (http://htmlpurifier.org/). HTML Purifier is an open source (OSS) HTML filtering solutions you can have for your website against spams and XSS attacks.
Wily hackers have a huge arsenal of XSS hidden within the depths of the HTML specification. HTML Purifier takes its effectiveness from the fact that it will decompose the whole document into tokens, and rigorously process the tokens by removing non-whitelisted elements, transforming bad practice tags like font into span, properly checking the nesting of tags and their children and validating all attributes according to their RFCs. HTML Purifier’s comprehensive algorithms are complemented by a breadth of knowledge, ensuring that richly formatted documents pass through unstripped.
I downloaded the Wordpress plugin version of HTML Purifier, installed, setup, and activated it in this blog (http://urbangiraffe.com/plugins/html-purified/). I tried putting all possible XSS attacks i can think of and it’s working great!
This is a must for every web developer who’s torn between using OSS WYSIWYG and robust filtering validation scripts.
No Tags FoundRelated Posts:
December 11th, 2007 at 3:09 am
Have a look at htmLawed — much less resource-intensive than HTMLPurifier, and kses-compatible. Kses is the script used in WordPress, and using htmLawed in WordPress is as simple as replacing the kses.php file.