4

Greetings,

I'm trying to prevent XSS and improper html from input fields using CKEditor (a javascript WYSIWYG editor).

How should I filter this data on the server side? The two options I'm comparing are PHP Tidy and HTML Purifier. I'm interested in speed, security, and valid nesting.

Edit:

According to HTML Purifier, Tidy does not prevent XSS. So, let me specify that I would first pass the user input through

strip_tags($input,'<img><a><li><ol><ul><b><br>'); before passing to Tidy

pws5068
  • 2,224
  • 4
  • 35
  • 49

1 Answers1

4

HTML Purifier restricts the input beyond what strip_tags can. strip_tags would not strip JavaScript from the attributes of the tags you are allowing. I definitely recommend using HTML Purifier. HTML Purifier is not fast, but add/edit executions are usually less frequent than views so performance is less of an issue.

Sonny
  • 8,204
  • 7
  • 63
  • 134
  • Also, HTML Purifier is a one-stop-shop, so you don't need to pass the code to Tidy afterward. – Sonny Jul 14 '10 at 19:05
  • 1
    Just found this comparison, and it mentions `strip_tags` and Tidy. http://htmlpurifier.org/comparison – Sonny Jul 14 '10 at 19:08