Closed designermonkey closed 8 years ago
Depends on your paranoia level. The strip_tags()
function lightweight in that it's built-in to PHP, though it may not catch all cases. On the other end of the spectrum, HTMLPurifier is apparently the gold standard, but it's a lot more code to support and interface with. In the middle is DOM, which is built-in but requires some work on your part.
Does that begin to help?
I took your advice and found a good function that regex strips tags, and then runs through strip tags. I have a problem though.
$f->sanitize('title')->to('callback', function ($subject, $field) {
if (function_exists('strip_html_tags')) {
$subject->$field = strip_html_tags($subject->$field);
}
return true;
});
Based on the example in the docs. Problem is it allows the string intact with tags through the sanitize function. I've verified that my strip_html_tags
function works.
How about write a test to show this is not working as expected?
Either you may want to go on : https://github.com/auraphp/Aura.Filter/blob/2.x/tests/SubjectFilterTest.php or in https://github.com/auraphp/Aura.Filter/blob/2.x/tests/Rule/Sanitize/AbstractSanitizeTest.php , https://github.com/auraphp/Aura.Filter/blob/2.x/tests/Rule/Sanitize/CallbackTest.php .
Thank you.
@designermonkey also I wonder whether it is really going inside the if (function_exists('strip_html_tags')) {
. Do you have namespace etc on that class? In that case probably it may not be. Try exit inside and see for a quick test.
Turns out it was me being a muppet. I return a request instance from my filter functionality, and had neglected to add the filtered input back to the immutable instance.
Sorry chaps. Thanks for your time though.
Do you have any suggestions on how to remove html during sanitization?