HTML purifier not working with $_POST before inserting into mysql

Question

I have this text editor on a wordpress blog and I want to use HTML Purifier to purify users' input before inserting into database. The text editor is an iframe so I get the content by using

   document.getElementById("comments_comments").value=$("#textEditor").contents().find("body").html();

when users click on the submit button.

I follow the basic instruction from html purifier like this:

  if (isset($_SESSION["user"]) && $_SESSION["user"] != "") 
  {   
    require_once '/path/to/HTMLPurifier.auto.php';

    $config = HTMLPurifier_Config::createDefault();
    $purifier = new HTMLPurifier($config);
    $comments = $purifier->purify($_POST["comments"]);
    $sql = $wpdb->prepare ("INSERT INTO mytable SET comments = %s",array($comments));
    $wpdb->query($sql);
  }

But the code doesn't have any effect at all. I was expecting the <script> tags completely removed, but they are still stored in the database as & lt ;script & gt ; which I think is the work of the wpdb prepare statement. Does the above configuration not work with $_POST? Any help would be appreciated.

Answer 1

First make sure, you realy disallow this tag:

$config->set('HTML.ForbiddenElements', ['script']));

You talking about ending with this in the database:

& lt ;script & gt ;

Are you sure, you don't already use htmlspecialchars()? Maybe with something like this?

foreach ($_POST as $key => $value) {
    $_POST[$key] = htmlspecialchars($value)
}

I am 99,99 % sure, it has nothing to do with the database. If you would do var_dump($comment) instead of inserting to a database, it would be the same.