HTML Purifier

HTML Purifier is a standards-compliant HTML filter library written in PHP. It clears HTML code by removing all malicious, invalid or forbidden (by configuration) coding, including separate attributes.

It is recommended to purify anything that will ever possibly be displayed on a page. Because with Cross-Site Scripting, hackers put in <script> tags or other malicious tags that can link to other sites and damage your own site.

There are two extremes when accepting any input from your users:

1. Indiscriminately escape everything to HTML entities, so the user can inject nothing. This is 100% secure, but allows the user no freedom to add any HTML, for example for bolding text in comments on your site.

2. Output the content as you received it from the user. This allows the user to bold text, but also to inject scripts or mess with your HTML in any other form the user desires, intentionally or unintentionally.

HTML Purifier allows a middle ground: allows the user to inject some HTML, but not malicious HTML. That’s a messy thing to attempt of course, but HTML Purifier is purportedly one of the few libraries, if not the only, that gets it right.

More information about HTML Purifier library you can find via this link.