brianhansonxyz/rspade_system
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1abbac58e7b56b60fe0ad47cd21b06413fb279ee
rspade_system/app/RSpade/man/safe_html.txt
root 1abbac58e7 Add safe_html() for XSS-safe WYSIWYG HTML sanitization 
🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-12-25 23:39:42 +00:00

67 lines
2.0 KiB
Plaintext
Raw Blame History

SAFE_HTML(1) RSpade Manual SAFE_HTML(1)
NAME
safe_html - Sanitize HTML from WYSIWYG editors to prevent XSS attacks
SYNOPSIS
PHP: safe_html(string $html): string
JS: safe_html(html_string)
DESCRIPTION
Filters potentially malicious HTML while preserving safe formatting tags.
Use for all user-generated rich text content before display.
Both PHP (HTMLPurifier) and JS (DOMPurify) implementations use matching
allowed tags and attributes for consistent behavior.
WHAT GETS STRIPPED
- <script> tags and contents
- Event handlers (onclick, onerror, onload, etc.)
- javascript: and data: URLs
- <iframe>, <object>, <embed> tags
- <style> tags and style attributes with expressions
- Any tag/attribute not in the allowed list
ALLOWED TAGS
p, br, strong, b, em, i, u, s, strike, a, ul, ol, li, blockquote,
h1, h2, h3, h4, h5, h6, pre, code, img, table, thead, tbody, tr, th, td,
div, span
ALLOWED ATTRIBUTES
href, title, target (on links)
src, alt, width, height (on images)
class (on all elements)
EXAMPLES
PHP:
$clean = safe_html($user_input);
echo $clean; // Safe to output
JS:
const clean = safe_html(editor.getHTML());
container.innerHTML = clean; // Safe to insert
Input: <p>Hello <script>alert(1)</script></p>
Output: <p>Hello </p>
Input: <a href="javascript:alert(1)">click</a>
Output: <a>click</a>
Input: <img src="x" onerror="alert(1)">
Output: <img src="x">
USAGE PATTERN
Always sanitize on the server before storing OR before display.
Sanitizing on both client and server provides defense in depth.
// Controller - sanitize before saving
$model->description = safe_html($params['description']);
// Or sanitize on display in template
<%!= safe_html(this.data.description) %>
SEE ALSO
html() - Escape all HTML (for plain text, not rich text)
RSpade Framework December 2025 SAFE_HTML(1)
Reference in New Issue View Git Blame Copy Permalink