What HTMLPurifier settings should I enable for allowing HTML templates?

I'm building a site which allows users to build their own websites via HTML templates. What kind of HTMLPurifier setting should I use to block out XSS attacks?

In my templating system, I would only allow them to edit specific parts of the template (i.e. not the whole HTML file, just parts of it). This does not allow them to edit t开发者_如何学Pythonhe outside the tag, which is OK, but I don't want them to use javascript within the said specific parts.

Anyone who already has this kind of HTMLPurifier setup?

Sounds like you want a whitelist. That's good, because that's how HTML Purifier works.

You're going to want to go through the tag and attribute list yourself and simply decide exactly what to permit.

Permit only elements that are inherently safe, permit attributes that can't contain CSS or Javascript or refer to external resources, like images.

To be honest, you can practically permit everything outside of forms/inputs, iframes, script/noscript, object/embed, anything that would go in the head, and xmp. Everything else is either semantic or stylistic and mostly harmless.