We are moving our forum in GitHub Discussions. For questions about Phalcon v3/v4 you can visit here and for Phalcon v5 here.

Solved thread

This post is marked as solved. If you think the information contained on this thread must be part of the official documentation, please contribute submitting a pull request to its repository.

Allow HTML but prevent XSS

Hello Guys,

I just have a question about escaping HTML. I'm saving html in my database and I want to display that HTML on my website.

Well, when I display that HTML I want to escape script-tags or other dangerous html-tags (XSS). Currently I'm using the Phalcon\Escaper to escape html with $escaper->escapeHtml().

The problem is, that I want to display the html, but prevent from XSS by Script-Tags or something. Is this possible with the Phalcon\Escaper or is there a sanitize function to filter script tags ... ?

Any answer would be nice :)

Greets, Yannici



376
Accepted
answer

There is a PHP function for removing tags strip_tags but if you need a more complex sanitization use HTMLPurifier or a build a custom sanitizer with DOMDocument



4.5k

There is a PHP function for removing tags strip_tags but if you need a more complex sanitization use HTMLPurifier or a build a custom sanitizer with DOMDocument

I used HTMLPurifier to purify my html output. And it works good, thank you! :)