I would like to allow a certain list of html elements in a php response. My website consists of a few pages with some php content. In my database i've stored a few records with some text mixed with html elements.
I'm currently escaping this content with the htmlentities function. This works well in most cases, but in this case it also sanitizes my safe html tags.
A couple of possible solutions i encountered:
This seems to be the best solution out there. However, htmlpurifier lacks html5 support. I really would like to use some html5 tags. In the similar posts i've encountered, this option is recommended the most.
This is a quote i copied from the htmlpurifier comparison page
The PHP function striptags() is the classic solution for attempting to clean up HTML. It is also the worst solution, and should be avoided like the plague. The fact that it doesn't validate attributes at all means that anyone can insert an. While this can be bandaided with a series of regular expressions that strip out on[event] (you're still vulnerable to XSS and at the mercy of quirky browser behavior), striptags() is fundamentally flawed and should not be used.
Is there any good alternative you guys can recommend for allowing a list of html(5) tags? Should i use a library or not?
Might it be an idea to use bb tags?
this is very good list:
<br><p><a><strong><b><i><em><img><blockquote><code><dd><dl><hr><h1><h2><h3><h4><h5><h6><label><ul><li><span><sub><sup>
You can use DOMDocument (http://php.net/manual/es/class.domdocument.php) and load the HTML (http://php.net/manual/es/domdocument.loadhtml.php), despite you will get warnings for HTML5 tags so you must turn off errors.
But if you don't want to write code, or do not like the lack of support for HTML which DOMDocument has, then you can try any library from packagist that parse HTML5 (https://packagist.org/?q=parse%20html5&p=0). In this case if your are using Composer will be the easiest solution.
Hope that helps.