2011-01-23, 09:44 PM
http://htmlpurifier.org/ Wrote:HTML Purifier is a standards-compliant HTML filter library written in PHP. HTML Purifier will not only remove all malicious code (better known as XSS) with a thoroughly audited, secure yet permissive whitelist, it will also make sure your documents are standards compliant, something only achievable with a comprehensive knowledge of W3C's specifications. Tired of using BBCode due to the current landscape of deficient or insecure HTML filters? Have a WYSIWYG editor but never been able to use it? Looking for high-quality, standards-compliant, open-source components for that application you're building? HTML Purifier is for you!
This plugin adds support for HTMLPurifier in MyBB. It's Open Source, LGPL. To make it work, you have to upload both the plugin, as well as the library. If you allow HTML in posts, private messages, or signatures, the plugin will use the HTMLPurifier library to remove any bad or malicious code.
Download: http://mods.mybb.com/view/htmlpurifier
Alternative Download: https://github.com/frostschutz/HTMLPurifier-MyBB
Download the library itself: http://htmlpurifier.org/
Installation instructions:
- Upload htmlpurifier.php to inc/plugins/
- Download the HTMLPurifier Library from http://htmlpurifier.org/
(use version 4.2.0 or newer)
- Upload the HTMLPurifier library to inc/plugins/htmlpurifier/
(only the contents of the library/ folder)
- Create a directory cache/htmlpurifier and make it writable
(plugin attempts to do this automatically, if cache/ is already writable)
- Activate the plugin
Notes:
- I can't vouch for the quality of the filtered HTML, as that is done by the external library.
- Because the filtering is highly expensive, it is only done as you post (before it goes into the database). Old posts won't be affected.
- Bad HTML can cause text to be filtered (and thereby lost) when posting.
- Signatures are only filtered when edited via the User CP. Mod CP / Admin CP edits are not affected.