xss_clean() and HTML |
[eluser]Nelsaidi[/eluser]
I have a question regarding xss_clean() - I am developing a CMS which means the users will post HTML to make a page, but I need that HTML to be XSS clean. So, inshort, does xss_clean convert html characters to entities? Ie if I pass < b>test< /b> through xss_clean, will I still get bold text or will it just display it as text? Thanks
[eluser]Thorpe Obazee[/eluser]
[quote author="Nelsaidi" date="1256355569"]I have a question regarding xss_clean() - I am developing a CMS which means the users will post HTML to make a page, but I need that HTML to be XSS clean. So, inshort, does xss_clean convert html characters to entities? Ie if I pass < b>test< /b> through xss_clean, will I still get bold text or will it just display it as text? Thanks[/quote] I will just 'clean' it of 'malicious' characters and replace them with '[removed]'.
[eluser]someoneinomaha[/eluser]
I started using htmlpurifier to accomplish this. http://codeigniter.com/wiki/htmlpurifier/ Seems to work pretty well so far. |
Welcome Guest, Not a member yet? Register Sign In |