We have moved our forum to GitHub Discussions. For questions about Phalcon v3/v4/v5 you can visit here and for Phalcon v6 here.

Allow HTML but prevent XSS

Hello Guys,

I just have a question about escaping HTML. I'm saving html in my database and I want to display that HTML on my website.

Well, when I display that HTML I want to escape script-tags or other dangerous html-tags (XSS). Currently I'm using the Phalcon\Escaper to escape html with $escaper->escapeHtml().

The problem is, that I want to display the html, but prevent from XSS by Script-Tags or something. Is this possible with the Phalcon\Escaper or is there a sanitize function to filter script tags ... ?

Any answer would be nice :)

Greets, Yannici



376
Accepted
answer

There is a PHP function for removing tags strip_tags but if you need a more complex sanitization use HTMLPurifier or a build a custom sanitizer with DOMDocument



4.5k

There is a PHP function for removing tags strip_tags but if you need a more complex sanitization use HTMLPurifier or a build a custom sanitizer with DOMDocument

I used HTMLPurifier to purify my html output. And it works good, thank you! :)