0

I have a form where users are able to style their own input with html. I want to clean that input on the server side with PHP. However, I want to make sure that all the input is secure and matches what I would like it to be. I already have XSS protection so this is not about removing scripts.

When the user provides input, I want to remove tags other than p, img, a, hr, br, tbody, tr, td, pre, ul, ol, li and span (basically all text formatting other than divs). I want to remove any attributes other than href for <a>, src for <img>, and style for <p>. For <p> style I would only like to preserve the following attributes:

  • color
  • background-color
  • line-height
  • Anything that starts with text-

In addition, I want to be able to crop the text to a certain length while preserving ending tags and making sure that every opening tag also has a closing tag.

For example, how does the Stack Overflow editor parse and clean input before saving it and displaying it to the user?

Thanks.

Improve this question
3
  • I don't know the code behind SO's editor. If you show us your code maybe we can help you improve it. Commented Jul 20, 2016 at 4:26
  • My code is coming from the Summernote editor. To clarify, this is about the backend. Commented Jul 20, 2016 at 4:27
  • Are you using CKEditor for this ? Commented Jul 20, 2016 at 4:41

1 Answer 1

Reset to default
2

I use http://htmlpurifier.org/ to clean html-input. You can define the tags, attributes and styles that are allowed. I added the code from my project as an example.

    $configuration = HTMLPurifier_Config::createDefault();
    $configuration->set('Attr.EnableID', true);
    $configuration->set('AutoFormat.RemoveEmpty', true);
    $configuration->set('AutoFormat.RemoveEmpty.RemoveNbsp', true);
    $configuration->set('HTML.AllowedAttributes', array('span.style', '*.id', '*.src', 'a.href', 'table.style', 'img.style', 'td.colspan', 'td.rowspan', 'td.style'));
    $styles = array('margin-left', 'color', 'background-color', 'text-decoration', 'font-weight', 'font-style', 'border', 'border-collapse', 'height');
    $configuration->set('CSS.AllowedProperties', $styles);
    $htmlPurifier = new HTMLPurifier($configuration);
    return $htmlPurifier->purify($html);
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Awesome. I have actually been using this to purify out scripts with the auto configuration but I did not know it could do all this. Thanks.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.