Home/ Questions/Q 9163897
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-17T14:33:09+00:00

Is there an easy way to remove with php any type of event HTML

  • 0

Is there an easy way to remove with php any type of event HTML in php string. For example for events submit,mouseOut,mouseOver,click,blur,focus,etc. to prevent javascript injection, for cases like these:
is There an easy way to remove with php any type of event HTML in php srtring. For example for events submit,mouseOut,mouseOver,click,blur,focus,etc. to prevent javascript injection, for cases like these:

$text= 'mi secure html <div id="javascript_injection" onfocus=function(){SomeJavaScriptCode}></div> <p> Im interested in showing the resulting html </p>'

echo $text = 'mi secure html <div id="javascript_injection" > example </div> <b> Im interested in showing the resulting html </b>

I’m also interested in showing this: 

'mi secure html <div id="javascript_injection" > example </div> <b> Im interested in showing the resulting html </b>

PD:I can not escape all the text or remove all tags because there are parts that if I want to show in html.Imagine you want to show a user creates html to another and want to avoid the injection of javascript

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The best way to solve this kind of problem is through whitelisting instead of blacklisting. The idea is that you define what tags / attributes you allow, instead of trying to filter out bad things.

    A good library that handles this is http://htmlpurifier.org/. You can customize it to make it allow the things you want to keep.

    require_once '/path/to/HTMLPurifier.auto.php';

$dirty_html = '<a href="test.html" onclick="alert()">Test</a>'

$config = HTMLPurifier_Config::createDefault();
$purifier = new HTMLPurifier($config);
$clean_html = $purifier->purify($dirty_html);

echo $clean_html

    Output:

    <a href="test.html">Test</a>
    • 0