Best Settings for Html purify

Question

I would like to use PHP-based tool HTML Purifier on a textbox to prevent xss but I would like to allow the following:

1. basic tags like <b>,<i>,<u>
2. links
3. images

I would like to block all CSS and JavaScript. I just tried HTML Purifier and it failed on this case. Just see this example. How can I take care of this?

Also I would want all words of the form #abcd and @abcd to be replaced with custom html (as you would have guessed it a link). Is it possible with this or do I have to do my own replace?

Answer 1

Set HTML.Allowed to something like b,i,u,a[href],img[src|alt]

See here.

Answer 2

Regular expressions and e modifier

function checkTag( $tag ) {
  $tag = removeslashes( $tag );

  ...

  return $secureTag;
}

$html = preg_replace( "/<[^>]+>/e", " checkTag( '\$0' )", $input );

Answer 3

PHP has a built-in function that seems to do exactly what you want.

http://php.net/manual/en/function.strip-tags.php

It even has a whitelist feature so it can allow some tags.

For the #abcd and the @abcd part I think you will have to use a preg_replace() for that. I have used a similar function and it does the @abcd part very well :).

$sClickText = preg_replace("/\@([a-zA-Z0-9_])+/",' <a href="#reply" onClick="reply(\'' . "$0" . '\')">' . "$0" . '</a>',$sInputText);