By Chris Snyder <firstname.lastname@example.org>
safe_html() is a free php function that takes a conservative approach
to sanitizing user input while still allowing some markup through. It
is meant to be used on posts to message boards or comment systems,
where you want to allow html images, links and lists, but not
cross-site scripting attacks.
removes undesireable html tags, and closes any open tags or comments at
the end of the post. When it doubt, safe_html() will strip all html tags from a post, rather
than let something tricky slip through.
Full disclosure: this is a
simple hack, but I trust it on production sites. It does not try to
clean up or standardize the html itself. It does not
use the best/most-efficient regexes. It uses brute force. It is not
certified by anyone. You are welcome to audit the code and submit both
exploits and patches, which I may incorporate into future versions.
For input that should not contain html tags at all, it is much better
to use php's built-in htmlentities()
function. And whereas htmlentities() can be decoded, safe_html()'s
filtering cannot be reversed. Your mileage may vary, read and
understand the disclaimer, etc etc.
- Source Code
- Standard Tests - Comments
How To Use safe_html()
To use safe_html.php in your code, simply include it (once) and then
call the safe_html() function as you would htmlentities() or any other
php string processing function.
$markup = $_POST['content'];
$safemarkup = safe_html( $markup );
The usage above causes safe_html() to use its default set of allowed
html tags. You can explicitly set the tags allowed using an optional
second argument to safe_html(), as detailed below.
$markup = $_POST['content'];
// define custom allowed tags
// - balanced tags (<p></p>) are marked 1
// - unbalanced tags (<hr>) are marked 0
// FYI this example is the default allowedtags array
$allowedtags= array ( "p"=>1, "br"=>0, "a"=>1, "img"=>0,
"li"=>1, "ol"=>1, "ul"=>1,
"b"=>1, "i"=>1, "em"=>1, "strong"=>1,
"del"=>1, "ins"=>1, "u"=>1, "code"=>1, "pre"=>1,
$safemarkup = safe_html( $markup, $allowedtags );
Theory of Operation
For general information on Cross-Site Scripting (XSS) see the Wikipedia
entry or get your hands on a copy of Pro PHP
Security, Chapter 13.
For a comprehensive list of attack vectors, see RSnake's cheatsheet at http://ha.ckers.org/xss.html.
There are three main strategies taken by safe_html.php: preventing
stripping any html tags that aren't on an allowed short-list. Between
them, these cut off most of the known vectors of attack... but not all.
Attackers may still link to malicious URLs, for instance. And they are
always free to try social engineering tricks.
If safe_html() encounters anything inside of a tag that looks like a
script call, it will assume that an attack is
being attempted, and call php's strip_tags() on the entire value being
so that your users can still talk about code.
Comes out fine:
the best method.
Comes out as plain text, because strip_tags() is triggered:
Simply put, semi-trusted web users have no business using any sort of
be restricted to static pages and templates, managed by trusted users
out of band.
I think you should click this.
Stripping Style Attributes
Unfortunately this may be a little unpopular, but here it is:
safe_html() strips all style="" attributes from html tags. That's
right, you don't get arbitary styling, which means that the font and
size menus, colors, and indenting on some in-browser WYSWYG content
editors won't work. It also means that (unless you specifically allow
the <font> tag) users cannot change the font size or color in the
markup they post. This is done to prevent user content from hijacking
For instance, the following html will effectively cover whatever page
it is on, and entice the user to click a malicious link:
<p style="position: absolute; top: 0px; left: 0px;
width: 98%; height: 98%;
Experiencing technical difficulties,
<a href="http://10.0.17.128/?action=login">click here to re-try</a>.
safe_html() will strip the style attribute altogether, rendering the
markup as a normal <p> paragraph, and exposing the post as an
attempt at a social engineering attack.
Stripping and Balancing html
In addition to the above protections, safe_html() ensures that users
can only use approved html tags, and that all open tags and comments
are closed by the end of the markup. That way some sad sack can't leave
an <a> tag unclosed and wreck your whole interface. This happens
more often then you might think.
The sanitized text is branded the with safe_html version number (which
doubles as a comment closure) so you'll know which text needs to be
refiltered next time there's a bug-fix or new attack vectors discovered.
Last updated 2005-09-05.