xss_clean() and HTML

[eluser]Nelsaidi[/eluser]
I have a question regarding xss_clean() - I am developing a CMS which means the users will post HTML to make a page, but I need that HTML to be XSS clean.

So, inshort, does xss_clean convert html characters to entities? Ie if I pass < b>test< /b> through xss_clean, will I still get bold text or will it just display it as text?

Thanks

[eluser]überfuzz[/eluser]
Go ahead and test it!

[eluser]Thorpe Obazee[/eluser]
[quote author="Nelsaidi" date="1256355569"]I have a question regarding xss_clean() - I am developing a CMS which means the users will post HTML to make a page, but I need that HTML to be XSS clean.

So, inshort, does xss_clean convert html characters to entities? Ie if I pass < b>test< /b> through xss_clean, will I still get bold text or will it just display it as text?

Thanks[/quote]

I will just 'clean' it of 'malicious' characters and replace them with '[removed]'.

[eluser]someoneinomaha[/eluser]
I started using htmlpurifier to accomplish this.

http://codeigniter.com/wiki/htmlpurifier/

Seems to work pretty well so far.