Skip to content Skip to sidebar Skip to footer
Home / Html / Htmlpurifier / Php

Htmlpurifier, Check Entire Html Document

Post a Comment
I'm using HTMLPurifier to check for XSS in an entire HTML document. The problem is that it appears to strip out anyything that isn’t inside tags. But, I want to keep

Solution 1:

David, I just searched on the HTMLPurifier support forum and saw that you've been busy.

But perhaps you missed the posting from a few months ago that addresses your exact issue, specifically the reply:

Full document support will (ostensibly) come some time in the HTML Purifier 5.x series; we don't actually have the parsing code necessary to actually deal with full HTML documents.

Until then, you'll want to capture your head and DTD and re-add it to the purified doc.


Solution 2:

Remember that you can construct an XSS attack that runs from 'head'.


Solution 3:

You can tell HTML Purifier what tag the purified code will be inside (it defaults to 'div'). Setting this to 'span' would block all block-level tags. You could experiment with setting it to 'body', or even to 'html'.


Post a Comment for "Htmlpurifier, Check Entire Html Document"