0

I am looking for an easy and quick to install way to sanitize markdown in PHP.

I don't need an ultimate robust solution (as answers I saw in other questions) just something simple filtering the most dangerous tags (for example filtering the script tag among other things).

Is there such a thing that exists? Maybe a regex but I don't know what I need to filter.

I currently have the markdown sanitizer on the client side, but I need something on the PHP side or XSS will come in the way...

nialna2
  • 2,056
  • 2
  • 25
  • 33
  • > "I don't need an ultimate robust solution (as answers I saw in other questions)" I already read this question but the solution is something that takes a day to install – nialna2 Dec 07 '13 at 22:46

2 Answers2

0

There's a couple of easy ways (not 100% secure but decent stop-gaps). strip_tags will remove all HTML tags and htmlentities will replace the characters that make up HTML tags

Machavity
  • 30,841
  • 27
  • 92
  • 100
  • The thing is that I still need HTML to be there. Markdown creates html output. I just need something to filter "bad" html tags like – nialna2 Dec 07 '13 at 22:47
  • `string strip_tags ( string $str [, string $allowable_tags ] )` you can specify allowed tags.., however allowing e.g., a single img might make you vulnerable. – worenga Dec 07 '13 at 22:48
  • `strip_tags` would be the way to go then. There are [a number of good reasons](http://stackoverflow.com/questions/1732348/regex-match-open-tags-except-xhtml-self-contained-tags/1732454#1732454) not to try this with regex – Machavity Dec 07 '13 at 23:08
0

Ok so initially I read this question in which people answered about HTML purifier, but saying that it took a day to configure. For me it was too long for a small project.

But I actually tried it and the default installation took me less than five minutes and work just fine. So, HTML purifier is the way to go, even if you don't have much time.

Community
  • 1
  • 1
nialna2
  • 2,056
  • 2
  • 25
  • 33