I'm using PHP and Zend Framework in my application. User can enter some HTML and admin can see this HTML. I want to avoid XSS injection. All HTML should me shown as is except any javascript. I tried to remove script tags but it is unsafe. User can add javascript to onclick or other events.
Thanks.
If you are looking to sanitize user input like this from XSS, I'd look into using HTML purifier
Removing only script tags is not enough, you miss out any javascript inline that people can add, among other things.
HTML purifier however will remove it all for you. From their site:
HTML Purifier is a standards-compliant HTML filter library written in PHP. HTML Purifier will not only remove all malicious code (better known as XSS) with a thoroughly audited, secure yet permissive whitelist, it will also make sure your documents are standards compliant, something only achievable with a comprehensive knowledge of W3C's specifications.
I think your best bet would be to manually cover all vulnerabilities.
Start by removing script tags, then run regular expressions on the on events (onclick, onhover...) and remove those as well. There's more offcourse...
CodeIgniter (other frameworks as well probably) has a function xss_clean(), you might have a look at that one to see what they do.
