Remove XSS, but don't convert to HTML entities

Re: Remove XSS, but don't convert to HTML entities

Ambush Commander — Fri, 09 Mar 2012 12:53:46 -0500

Yeah, that's not going to work.

daGrevis — Fri, 09 Mar 2012 12:50:26 -0500

Well, that's shame. I was planning to run Markdown on client-side. :(

Ambush Commander — Fri, 09 Mar 2012 12:43:39 -0500

Oh, I see. No, that's not possible. The encoding of all tags is very important for safety. Run Markdown before.

daGrevis — Fri, 09 Mar 2012 11:26:07 -0500

Well, no. According to demo page.

> Quote

...becomes:

> Quote

Ambush Commander — Fri, 09 Mar 2012 11:20:11 -0500

It should do your specific examples already.

daGrevis — Fri, 09 Mar 2012 10:10:17 -0500

Is it possible to configure HTML Purifier so it removes XSS, but doesn't convert characters to HTML entities? I need it for Markdown syntax.

Example:

> Quote

Would be (the same, no XSS):

> Quote

But this (or any other input with XSS in it):

> Quote

Would be (input with XSS removed):

> Quote

Is HTML Purifier able to do it? :)