1

I want to allow users to write html into a form field but exclude javascript. Is there simple code or a library that will do this?

I've looked into using HTML Purifer but I'm not quite sure how to configure it to run in the way I am looking for. I think I would have to specify all the tags that I am allowing into HTML.allowed. I could come up with an exhaustive list, I guess, but if there is an easier way, I'd rather do that.

Improve this question

1 Answer 1

Reset to default
2

strip_tags() takes a second argument $allowable_tags so no need for external libraries or classes but yes, you will have to allow any tags you want to allow. Honestly, there are not so many tags. You may also want to disallow <style>

http://php.net/manual/fr/function.strip-tags.php

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

… and <object>, <applet>, <iframe> since they can all load JS. You also need to watch out for javascript: URIs, and so on.
I've heard bad things about strip_tags like it totally screws up when the html is not perfect syntax wise and that you can get around it by using things like onclick on allowed tags.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.