
HTML Purifier - Filter your HTML standards-compliant - Anti XSS - jacquesm
http://www.htmlpurifier.org/
======
blasdel
It allows the <img> element by default, so it's wide open to XSS in IE6 and
older versions of Opera -- they treat <img src=url> identically to <script
src=url> when the response from the url has javascript content.

You really can't let people embed images from arbitrary domains, if only to
prevent getting goatsed later.

~~~
jacquesm
thank you, I have taken note of that and will change the configuration
accordingly.

