Ask your WordPress questions! Pay money and get answers fast! Comodo Trusted Site Seal
Official PayPal Seal

How to sanitize a text field which can contain HTML input? WordPress


Within my application users can modify a setting for credits which allows them to add custom html which is displayed on frontend, like

Supplier, <a href=""></a>

An audit now showed, that this is vulnerable to XSS attacks, by adding the following for example to the settings field:

Supplier, <a href=""></a><script>alert('1');</script> or <img src="javascript:alert('1');">

Usually I use htmlspecialchars() to mitigate XSS vulnerabilities, but in this case this will not work as links would also be displayed as text instead.

I tried to sanitize the output by using a function like

function xss_sanitize($string) {
return str_replace(array("javascript","<script>","</script>"), "", $string);

but that didnt seem to fully protect agains XSS as <ScRiPt> for example would still be possible and strtolower($string) and strip_tags() are not an option.

Is there a PHP function for this usecase? Or could <strong>PHP filters</strong> (support for PHP 5.2 needed!) provide a solution here? <strong>Splitting the string is not an option, users should be allowed to further enter HTML tags</strong>, just no script-tags/javascript:

Answers (2)


Dbranes answers:

You can check out [[LINK href=""]]wp_kses()[[/LINK]]:

<blockquote>KSES is an iterative acronym and stands for “KSES Strips Evil Scripts".</blockquote>

rmaxwell comments:

yes, that´s what I was looking for - thanks!


Francisco Javier Carazo Gil answers:

Have a look to this PHP library

Francisco Javier Carazo Gil comments:

I have used it and it is really useful for your problem.

The basic one is this:

require_once '/path-to/';

$config = HTMLPurifier_Config::createDefault();
$purifier = new HTMLPurifier($config);
$clean_html = $purifier->purify($dirty_html);

rmaxwell comments:

thanks, looks good, but main advantage would be that this bloats up my application by at least 1MB, which would be 20% for just a tiny function I need, so another approach would be appreciated...