I am using HTMLPurifier for simple Tinymce WYSIWYG.If I don't use htmlspecialchars,would it be open to XSS Attack?This is what I'm doing
$detail = $purifier->purify($detail);
to purify data for that textarea.If I use htmlspecialchars,it strips all basic tags as well which is not user friendly for an WYSIWYG editor.But the problem is,this allows <script> tag as well.
And if I change conf setting to
$config->set('ExtractStyleBlocks.1', true);
It doesn't allow < and > for <script> tag.Convert < and > for <script> only.But it shows <p>This is paragraph</p> ,<strong>This text is bold</strong> and so on.It shouldn't show <p> and other simple tags to user,but only the text.
How can I get rid of this problem.
Please help.Thanks for your time.
Edit
Here is my HTMLPurifier initialization
$config = HTMLPurifier_Config::createDefault();
//$config->set('ExtractStyleBlocks', true);
$config->set('HTML.ForbiddenElements', array('script','style','applet'));
$purifier = new HTMLPurifier($config);
getting data from database
while(mysqli_stmt_fetch($stmt1)){
$id=htmlspecialchars($id);
$title=htmlspecialchars($title);
$detail = $purifier->purify($detail);
$posts.="<div id='date_news'><div id='news_holder$id' class='news_holder'><h3 id='show_title'>".htmlspecialchars($title)."</h3>".$detail."</div>";
HTML for $detail
At Database
<p><strong>Alu Vazi</strong></p>
<p>I love alu vazi with<script>alert("XSS")</script></p>
User screen
Alu Vazi
I love alu vazi with<script>alert("XSS")</script>
