SAFE_HTML(1)                    RSpade Manual                    SAFE_HTML(1)

NAME
    safe_html - Sanitize HTML from WYSIWYG editors to prevent XSS attacks

SYNOPSIS
    PHP:  safe_html(string $html): string
    JS:   safe_html(html_string)

DESCRIPTION
    Filters potentially malicious HTML while preserving safe formatting tags.
    Use for all user-generated rich text content before display.

    Both PHP (HTMLPurifier) and JS (DOMPurify) implementations use matching
    allowed tags and attributes for consistent behavior.

WHAT GETS STRIPPED
    - <script> tags and contents
    - Event handlers (onclick, onerror, onload, etc.)
    - javascript: and data: URLs
    - <iframe>, <object>, <embed> tags
    - <style> tags and style attributes with expressions
    - Any tag/attribute not in the allowed list

ALLOWED TAGS
    p, br, strong, b, em, i, u, s, strike, a, ul, ol, li, blockquote,
    h1, h2, h3, h4, h5, h6, pre, code, img, table, thead, tbody, tr, th, td,
    div, span

ALLOWED ATTRIBUTES
    href, title, target (on links)
    src, alt, width, height (on images)
    class (on all elements)

EXAMPLES
    PHP:
        $clean = safe_html($user_input);
        echo $clean;  // Safe to output

    JS:
        const clean = safe_html(editor.getHTML());
        container.innerHTML = clean;  // Safe to insert

    Input:  <p>Hello <script>alert(1)</script></p>
    Output: <p>Hello </p>

    Input:  <a href="javascript:alert(1)">click</a>
    Output: <a>click</a>

    Input:  <img src="x" onerror="alert(1)">
    Output: <img src="x">

USAGE PATTERN
    Always sanitize on the server before storing OR before display.
    Sanitizing on both client and server provides defense in depth.

    // Controller - sanitize before saving
    $model->description = safe_html($params['description']);

    // Or sanitize on display in template
    <%!= safe_html(this.data.description) %>

SEE ALSO
    html() - Escape all HTML (for plain text, not rich text)

RSpade Framework                  December 2025                   SAFE_HTML(1)