Problem: there are two different tasks – to put plain text into a wiki, so that it is displayed unmodified; and to put HTML into a wiki, so that it is displayed unmodified, i.e. rendered by the browser.

Proposed solution:

  1. The double quote syntax solves the first problem. On their contents, htmlspecialchars() is executed. Done.
  2. The second problem is solved by the new syntax. Done.
    1. The <# #> is proposed.
  3. In the second task, depending on the option in the configuration file, the dangerous HTML code is removed or not removed. Done.
    1. see SafeHTML – anti-XSS HTML parser

Dangerous code is:

  • attributes on*, data*, action="javascript:", href="javacript:", dynsrc.
  • tags <object>, <layer>, <ilayer>, <frame>, <iframe>, <script>, <embed>, <applet>, <bgsound>, <style>, <link>, <body>, <meta>, <frameset>.
  • strip dangerous CSS.
    • position: (but not backgound-position:)
    • @import
    • @font-face:
    • expression
    • behavior
  • For subject, it is suggested to do strip_tags() with some small set of allowed tags, like i, a, b, s, strong, strike, u. The style attribute should also be removed.