MarkHtml
Library for cleaning HTML code from XSS inserts and extra closing tags, allows you to filter the input data that can disrupt the site.
Unlike other similar libraries, such as Jevix , the bet was made not on allowing tags and attributes, but on prohibiting ones. That is, it is possible to enter everything except the forbidden.
With the help of external libraries Markdown Extra and Typograf , you can write beautifully designed texts. Markdown is good because it allows you to use the old HTML code without changing it, and at the same time it is comfortable to write articles in a regular text editor (or
')
If there is no need to use Markdown or Typograf, you can simply remove the connection code at the beginning of the
A clever replacement of special HTML characters is used, which allows you to write HTML code, or just text, as a result, the text will look like you wanted, and not as the text parser considers correct.
By default, it is configured to output tags and attributes in HTML style, but you can also enable XHTML mode.
I tested the code on various hacker inserts, it works fine, but the truth is not sure that I remembered all the unsafe tags and attributes, if someone tells me what I missed, I will modify the code.
This article was written in Markdown with the subsequent transfer to Habr, since after becoming acquainted with this wonderful format, it became unbearably difficult to write HTML code not for the layout of the site template.
MarkHtml on Google Code: http://code.google.com/p/markhtml/ (hg)
Direct link to the archive with files: markhtml.zip
Unlike other similar libraries, such as Jevix , the bet was made not on allowing tags and attributes, but on prohibiting ones. That is, it is possible to enter everything except the forbidden.
With the help of external libraries Markdown Extra and Typograf , you can write beautifully designed texts. Markdown is good because it allows you to use the old HTML code without changing it, and at the same time it is comfortable to write articles in a regular text editor (or
<textarea> ).')
If there is no need to use Markdown or Typograf, you can simply remove the connection code at the beginning of the
markhtml.php file.A clever replacement of special HTML characters is used, which allows you to write HTML code, or just text, as a result, the text will look like you wanted, and not as the text parser considers correct.
By default, it is configured to output tags and attributes in HTML style, but you can also enable XHTML mode.
I tested the code on various hacker inserts, it works fine, but the truth is not sure that I remembered all the unsafe tags and attributes, if someone tells me what I missed, I will modify the code.
This article was written in Markdown with the subsequent transfer to Habr, since after becoming acquainted with this wonderful format, it became unbearably difficult to write HTML code not for the layout of the site template.
MarkHtml on Google Code: http://code.google.com/p/markhtml/ (hg)
Direct link to the archive with files: markhtml.zip
Source: https://habr.com/ru/post/116607/
All Articles