best way to secure simple wysiwyg with php

HTMLPurifier

I'm just going to throw this one out there and probably get the inevitable lashing. I would not use strip_tags to secure your WYSIWYG form... ever (Unless you want to piss off your users).

It won't secure your form, and you may be killing your user's experience.

Chris Shiftlett in his blog post wrote an excellent paragraph

I detest commenting on blogs where my comment is passed through something like strip_tags(), effectively mangling what I'm trying to say. It reminds me of using an IM client that tries to identify smilies and replace them with images, often making responses difficult to decipher.

Another Reason

Someone else in another answer also wrote this which I like:

  $str = "10 appels is <than 12 apples";
  var_dump(strip_tags($str));

The output I get is:

string '10 appels is ' (length=13)

I personally would not use anything other than HTMLPurifier

HTMLPurifier

Try a demo here: http://htmlpurifier.org/demo.php

And look at this similar question

best way to secure simple wysiwyg with php

HTMLPurifier

Another Reason

HTMLPurifier

Tags:

Php

Security

Xss

Wysiwyg

Related

Recent Posts