Best Settings for Html purify
I would like to use PHP-based tool HTML Purifier on a textbox to prevent xss but I would like to allow the following:
- basic tags like
<b>
,<i>
,<u>
- links
- images
I would like to block all CSS and开发者_如何学JAVA JavaScript. I just tried HTML Purifier and it failed on this case. Just see this example. How can I take care of this?
Also I would want all words of the form #abcd
and @abcd
to be replaced with custom html (as you would have guessed it a link). Is it possible with this or do I have to do my own replace?
Set HTML.Allowed to something like b,i,u,a[href],img[src|alt]
See here.
Regular expressions and e modifier
function checkTag( $tag ) { $tag = removeslashes( $tag ); ... return $secureTag; } $html = preg_replace( "/<[^>]+>/e", " checkTag( '\$0' )", $input );
PHP has a built-in function that seems to do exactly what you want.
http://php.net/manual/en/function.strip-tags.php
It even has a whitelist feature so it can allow some tags.
For the #abcd
and the @abcd
part I think you will have to use a preg_replace()
for that. I have used a similar function and it does the @abcd
part very well :).
$sClickText = preg_replace("/\@([a-zA-Z0-9_])+/",' <a href="#reply" onClick="reply(\'' . "$0" . '\')">' . "$0" . '</a>',$sInputText);
精彩评论