WYSIWYG Editors require "allow HTML" for the system.
But it must invite "Script Insertion" attacks easily.
kentauls told me HTMLPurifier.
It looks great especially smoketest for XSS.
You should know HTMLPurifier can work with PHP5 only though the documentation tells us that it can work with PHP>=4.3.2.
Anyway, I've included this library into Protector.
You can try "postcommon_post_htmlpurify4guest.php" as protector's filter plugin.
But, it is just a sample.
I'll modify my modules can use HTMLPurifier as necessary by config.
HTMLPurifier allows us "WYSIWYG forum" etc.
WYSIWYG - What You See Is What You Get
HTML Purifier: A Pretty Good Fit for TinyMCE and FCKeditor
always been wary about using them due to security issues: they handle the
client-side magic, but once you've been served a piping hot load of unfiltered
HTML, what should be done then? In some situations, you can serve it uncleaned,
since you only offer these facilities to trusted(?) authors.
Unfortunantely, for blog comments and anonymous input, BBCode, Textile and
other markup languages still reign supreme. Put simply: filtering HTML is
hard work, and these WYSIWYG authors don't offer anything to alleviate that
trouble. Therein lies the solution:
HTML Purifier is perfect for filtering pure-HTML input from WYSIWYG editors.
I thought HTMLPurifier should work not only with PHP5 because I found two different zip files in the download section of their website (http://htmlpurifier.org/download.html); "HTML Purifier 2.1.2 PHP5-strict" and the other one not with PHP5-strict.