Validate an HTML embed code using PHP or javascript or PHP framework (Zend)

Question

just a simple question.. Is there any good practices to validate an HTML embed code? fyi, I am using Zend Framework and prototype+scriptaculous right now.. it would be great if someone could give a clue around that environment.

Thank you! ^^

Answer 1

If you want to allow user to input HTML, and then display it on your website, a really great solution is HTMLPurifier.

It takes any kind of "sort of" HTML code as input, and returns valid-HTML, allowing you to specify which tags and attributes must be allowed -- all others will be removed.

This way, if your users input not-valid HTML, you'll still get valid HTML (less risk of destroying your layout when outputing it), and if you only specify a couple of non-dangerous tags and attributes, it's a great plus for security.

If you want to try it without having to integrate it in your application, there's a demo page available, btw.

For instance, if I input something like this :

<p>
this <b>is a<i>test</b></i>
with a not <em>closed tag
and a <a href="http://google.com" onclick="alert('bouh');">link</a>
and some <script type="text/javascript>alert('script');</script>
</p>

The HTML I get as output will be :

<p>
this <b>is a<i>test</i></b>
with a not <em>closed tag
and a <a href="http://google.com">link</a>
and some </em></p>

ie tags are OK (closed, in the right order), the script tag has been removed, and so has the onclick attribute of the link.