Is HTMLPurifier really that bullet-proof?

Question

I saw Kohana framework allowing users to optionally use HTMLPurifier against any possible XSS attacks.

I thought HTMLPurifier was meant to allow standard-compliant output of the HTML.

Does it help avoid XSS attacks 100% or probably to great extent? Or you would suggest something else.

Thanks

Answer 1

As for every possible piece of software, it can not be perfect, and there is always a risk that someone somewhere one day can find a security hole and exploit it.

So, no-one will tell you "it help avoid XSS attacks 100%"...

But, each time I've head of HTMLPurifier, it was in great terms -- and I've used it successfully a couple of times, and will use it again for some future projects.

So, I think that "probably to great extent" is your answer ;-)