What is the best way to both secure input and allow some html tags?

Question

It's a long time that I wonder the best way to both secure input and allow some html tags in some particular cases.

The typical situation is an admin who wants to write an article on xss (for example), which will be stored in a database, and will be shown to the users. This admin would have the chance to write tags like <b> to format the text but also like <javascript> to explain the attack. If I use Zend_Filter_StripTags I can allow the admin to put harmless html tag like <b> in the text but, for security reason, I cannot allow him to put tags like <javascript>.

On the other hand, if I use Zend_Filter_HtmlEntities I allow the admin to write every tags safely but when the article is shown, the text is not formatted. At last, if I use Zend_Filter_HtmlEntities and a decode method before the system shows the article, I've the same problem of the first case.

Does anyone know the best method to solve this problem?

Answer 1

Use Zend_Filter_HtmlEntities to escape all HTML tags and then use Zend_Markup to provide formatting via BBCode annotations.

Answer 2

Use HTMLPurifier

http://htmlpurifier.org/

It can sanitize the input as well as tidying up the HTML

Answer 3

Use HTML Purifier:

HTML Purifier is a standards-compliant HTML filter library written in PHP. HTML Purifier will not only remove all malicious code (better known as XSS) with a thoroughly audited, secure yet permissive whitelist, it will also make sure your documents are
standards compliant, something only achievable with a comprehensive knowledge of W3C's specifications.