Revision as of 12:51, 23 May 2013 edit Tamzin (talk \| contribs) Edit filter managers, Autopatrolled, Administrators 74,687 edits m <code> on HTML tags ← Previous edit		Revision as of 11:31, 8 January 2014 edit undo 168.168.33.250 (talk) The htmlspecialchars() function does not sanitize HTML, it merely escapes characters with a special meaning in HTML such as <, >, &, and quotes. Next edit →
Line 6: Sanitization is typically performed by using either a [[whitelist]] or a [[Blacklist (computing)\|blacklist]] approach. An item left off a whitelist, makes the sanitization produce HTML code that lacks safe elements. If an item is left off a blacklist, a vulnerability will be present in the sanitized HTML output. New unsafe HTML features, introduced after a blacklist has been defined, causes the blacklist to become out of date. In [[PHP]], HTML sanitization can be performed using the <code>strip_tags()</code> function at the risk of removing all textual content following an unclosed less-than symbol or ~~<code>htmlspecialchars()</code>~~angle ~~functions~~bracket.~~<ref>http://www.php.net/strip_tags</ref>~~<ref>{{cite web\|url=http://us3.php.net/manual/en/function.~~htmlspecialchars~~strip-tags.php\|title=~~htmlspecialchars~~strip_tags\|publisher=PHP.NET}}</ref> The HTML Purifier library is another popular option for PHP applications.<ref>http://www.htmlpurifier.org</ref> In [[Java (programming language)\|Java]] (and [[.NET Framework\|.NET]]), sanitization can be achieved by using the [[OWASP]] Java HTML Sanitizer Project.<ref>https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project</ref>

HTML sanitization: Difference between revisions