XSS Prevention, Tidy vs Purifier?

Question

Greetings,

I'm trying to prevent XSS and improper html from input fields using CKEditor (a javascript WYSIWYG editor).

How should I filter this data on the server side? The two options I'm comparing are PHP Tidy and HTML Purifier. I'm interested in speed, security, and valid nesting.

Edit:

According to HTML Purifier, Tidy does not prevent XSS. So, let me specify that I would first pass the user input through

strip_tags($input,'<img><a><li><ol><ul><b><br>'); before passing to Tidy

Answer 1

HTML Purifier restricts the input beyond what strip_tags can. strip_tags would not strip JavaScript from the attributes of the tags you are allowing. I definitely recommend using HTML Purifier. HTML Purifier is not fast, but add/edit executions are usually less frequent than views so performance is less of an issue.