MisterWebNet

A bit tricky if your new to htmlpurifier and tincymce (like me) to figure how why HTMLpurifier isn't filtering the code correctly.

After cycling through various options the only manner I could get them working together was to use the php function htmlspecialchars_decode() on the input from the TinyMCE editor and then run htmlpurifier on it.

If that's not clear, then let me explain another way. A user types some javascript into the tineMCE editor. The htmlpurifier fails to remove it outright. To get it to do so I had to do the following:

$inputtext = text from your tinyMCE editor pass to your php file.

$sampleText=htmlspecialchars_decode($inputtext);

$config = HTMLPurifier_Config::createDefault();
// configuration goes here:
$config->set('Core', 'Encoding', 'UTF-8'); // replace with your encoding
//SOME ELEMENTS I NEED
$config->set('HTML', 'AllowedElements', array('b', 'strong', 'ul', 'ol', 'li',
'em', 'hr', 'blockquote', 'a', 'br', 'p', 'span', 'h1', 'h2', 'h3', 'h4',
'h5', 'h6', 'i', 'cite', 'dl', 'dt', 'dd', 'q', 'img',
'del', 'sub', 'sup', 'tt', 'big', 'caption', 'code', 'small', 'strike'));

//SOME MORE CONFIG OPTIONS
$config->set('HTML', 'AllowedAttributes', array('a.href', 'img.src', 'img.alt'));


$purifier = new HTMLPurifier($config);


$outputText = $purifier->purify($sampleText);

After running the htmlspecialchars_decode() function on the inputted text, the htmlpurifier removed malicious code.