I am just looking into using HTML Purifier to ensure that a user-inputed string (that represents the name of a person) is sanitized.
I do not want to allow any html tags, script, markup etc - I just want the alpha, numeric and normal punctuation characters.
The sheer number of options available for HTML Purifier is daunting and, as far as i can see, the docs do not seem to have a beggining/middle or end
see: http://htmlpurifier.org/docs
Is there a simple hello world tutorial online for HTML Purifier that shows how to sanitize a string removing all the bad stuff out of it.
I am also considering just using strip tags:
or PHP's in built data sanitizing
I've been using HTMLPurifier for sanitizing the output of a rich text editor, and ended up with:
include_once('htmlpurifier/library/HTMLPurifier.auto.php');
$config = HTMLPurifier_Config::createDefault();
$config->set('Core', 'Encoding', 'UTF-8');
$config->set('HTML', 'Doctype', 'HTML 4.01 Transitional');
if (defined('PURIFIER_CACHE')) {
$config->set('Cache', 'SerializerPath', PURIFIER_CACHE);
} else {
# Disable the cache entirely
$config->set('Cache', 'DefinitionImpl', null);
}
# Help out the Purifier a bit, until it develops this functionality
while (($cleaner = preg_replace('!<(em|strong)>(\s*)</\1>!', '$2', $input)) != $input) {
$input = $cleaner;
}
$filter = new HTMLPurifier($config);
$output = $filter->purify($input);
The main points of interest:
HTMLPurifier_Config
as $config
.$config->set()
.HTMLPurifier
, passing $config
to it.$filter->purify()
on your input.However, it's entirely overkill for something that doesn't need to allow any HTML in the output.