This code works on htmlpurifier

i got it from http://ha.ckers.org/xss.html and it works on my form.

<IMG SRC="javascript:alert('XSS');">

i got it from http://ha.ckers.org/xss.html and it works on my form.

This xss code works too

<IMG """><SCRIPT>alert("XSS")</SCRIPT>">

Uhhh... no it doesn't.

See also: http://htmlpurifier.org/live/smoketests/xssAttacks.php

';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//-->">'>

žscriptualert(EXSSE)ž/scriptu

very nice

<a href="http://aeno.co.cc/abc/" target="_blank">aeno.co.cc/abc/</a>

aeno.co.cc/abc/

'onmouseover=prompt(934419) bad='

';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>

jjjj

" onclick='alert(50)' "

But i can't test it here, it's only in a hmtl input field. saved to database and rerender

THe code with tags are filtered correctly. i cannont proove it here, but all my tests are working.

i used this to prevent all javascript .

				$value =	preg_replace('@<[\/\!]*?[^<>]*?>@si','',$value);//remove all html tags
				$value =	(string)preg_replace('#on[a-z](.+?)\)#si','',$value);//replace start of script onclick() onload()...
				$value = trim(str_replace('"', ' ', $value),"'") ;
				$value =	(string)preg_replace('#^\'#si','',$value);//replace ' at start

BUt it's not perfect because this can remove unwanted chars.