I'm having an issue with using the HTMLPurifier php library. I'm using a WYSIWYG editor named 'Summernote' for all text areas on my application.
When writing something inside sommernote like:
<script>alert('test');</script>
The post data comes through as
<p><script>alert('test');</script></p>
However, once this is ran through the HTMLPurifier, it doesn't remove the script tags that are converted into regular characters. So when I go to edit this text inside summernote, it actually runs the script!
Here's an image of what is processed into the editor:
And here is how it's stored inside the database:
If anyone has any ideas please let me know!
EDIT: Also, if I disable the Summernote WYSIWYG editor, the tags are successfully removed from the textarea when cleaning with HTMLPurifier.
See Question&Answers more detail:os