Padraic Brady has a new post to his blog today about something that has caused a lot of pain over the years for developers (not just PHP ones either) - HTML sanitization.
In this article, I take a look at some of the solutions PHP developers rely upon to perform HTML Sanitisation. Mostly because few others have done it or written about such solutions in any great detail (at least publicly). HTML Sanitisation has a very low profile in PHP. It's rarely mentioned, usually not understood all that well, and examining some of the solutions in this area with more deliberate attention is worth doing.
He introduces the subject, just to catch everyone up to speed, and describes some of the common problems developers have butted up against. He shows three different candidates for helping you filter the HTML input more effectively:
- PEAR's HTML_Safe
- htmLawed
- Kses (in WordPress)
- HTMLPurifier
Each comes with a description of what the tool is and some of the pros and cons of using it.