How to prevent malformed tags for XSS

I read a comment about malformed tags being used for XSS attacks. How am I supposed to sanitize against these. If I use a library like HTMLPurifier, does it take of this as part of its work? or is this an independent thing? I don't hear people talking abo开发者_开发知识库ut it much.

Part of HTML Purifier's design philosophy is to only output standards compliant HTML, in order to minimize variance in browser interpretation. Thus, HTML Purifier will never output malformed tags.

HTMLPurifier will in fact sanitize for XSS.

In this time and age, to protect yourself fully and completely against XSS, you will need to whitelist rather than blacklist, which HTML Purifier provides. Not only that if put into wrong context even htmlspecialchars($var,ENT_QUOTES); won't help you, as there are many ways to avoid using both html tags and quotes(stringFromChar, using backslashes), you also have to consider different browser charset, which could allow e.g. this attack in UTF-7 \\\+ADw-script+AD4-alert(/xss/)+ADw-/script+AD4---//-- to be executed. Although HTMLPurifier does have big overheads, it is a simple non technical way to prevent XSS attacks (although there have been and I believe will have been holes in their filters too).

In this case HTMLPurifer is overkill. If XSS is within a tag then you can inject a javascript event without the need of <>. Recently this happened to twitter. The answer is to use htmlspecialchars($var,ENT_QUOTES);.