Welcome! » Log In » Create A New Profile

Using HTMLPurifier to remove all html tags

Posted by Robert Mena 
Robert Mena
Using HTMLPurifier to remove all html tags
October 25, 2010 03:28PM

Hi,

I am looking for a solution to help me out filter the input received by my apps. Some of those input fields should be HTML but others don't (lik regular field forms).

Is it possible to use HTML Purifier to remove all tags? If not does anybody can suggest an alternative?

Re: Using HTMLPurifier to remove all html tags
October 25, 2010 03:53PM

If you want to simply sanitize user input, htmlspecialchars() does just fine. If you want to remove all tags (which is only appropriate if you are format shifting from HTML to TXT) striptags() and then htmlspecialchars() will do just fine. HTML Purifier is overkill, anyway.

Robert Mena
Re: Using HTMLPurifier to remove all html tags
October 25, 2010 04:04PM

Hi Ambush,

Does this striptags(htmlspecialchars($input)) solve those encoding/tricks used such as

SRC=javascript:alert('XSS')>

Well I was trying to use & # 106 (altogether)

Re: Using HTMLPurifier to remove all html tags
October 25, 2010 04:07PM

Do it the other way around.

Eugenio
Re: Using HTMLPurifier to remove all html tags
November 12, 2010 04:36PM

Hi, could you explain me why using htmlspecialchars alone (without striptags) isn't enough to sanitize all users inputs?

Thanks in advance.

E.

Re: Using HTMLPurifier to remove all html tags
November 12, 2010 04:43PM

htmlspecialchars() alone is sufficient to prevent attacks, and I recommend using that when possible. But there are occasionally situations when stripping tags is correct: for example, the original text was actually HTML, and you want to display it in a plain text form with the tags stripped out. Doing this in fully generality is kind of tricky, but removing tags is a good first step.

Eugenio
Re: Using HTMLPurifier to remove all html tags
November 12, 2010 05:55PM

Ok, so you mean you would add striptags not for security reasons, but for styling reason; am I right?

Re: Using HTMLPurifier to remove all html tags
November 12, 2010 05:59PM

Yep.

Eugenio
Re: Using HTMLPurifier to remove all html tags
November 13, 2010 01:46PM

Thanks for your reply.

Chris W
Re: Using HTMLPurifier to remove all html tags
December 28, 2010 01:12PM

I do this using HTML Purifier on tons of my forms. Check it out:

function removeHTML($html) {
  require_once('htmlpurifier/library/HTMLPurifier.auto.php');
  $config = HTMLPurifier_Config::createDefault();
  $config->set('Core', 'Encoding', 'ISO-8859-1'); // not using UTF-8
  $config->set('HTML', 'Allowed', ''); // Allow Nothing
  $purifier = new HTMLPurifier($config);
  return $purifier->purify($html);
}
Sorry, you do not have permission to post/reply in this forum.