Problem: there are two different tasks – to put plain text into a wiki, so that it is displayed unmodified; and to put HTML into a wiki, so that it is displayed unmodified, i.e. rendered by the browser.
- The double quote syntax solves the first problem. On their contents,
htmlspecialchars()is executed. Done.
- The second problem is solved by the new syntax. Done.
<# #>is proposed.
- In the second task, depending on the option in the configuration file, the dangerous HTML code is removed or not removed. Done.
- see SafeHTML – anti-XSS HTML parser
Dangerous code is:
- tags <object>, <layer>, <ilayer>, <frame>, <iframe>, <script>, <embed>, <applet>, <bgsound>, <style>, <link>, <body>, <meta>, <frameset>.
- strip dangerous CSS.
- position: (but not backgound-position:)
- For subject, it is suggested to do
strip_tags()with some small set of allowed tags, like i, a, b, s, strong, strike, u. The style attribute should also be removed.