He shows how to set up the HTMLPurifier tool into your Zend Framework application so you can use it as a filter on your view's output. He sets it up as a new filter, ZC_Filter_HTMLPurifier, and creates the basic filtering interface library to make it work.

You can find out more about using filters in Zend Framework applications in this section of the manual.

EllisLabs' news release for CodeIgniter 2.0.2 makes mention of "a small vulnerability". This small vulnerability is mentioned no where else (not even the actual changelog for 2.0.2). In reality, I reported seven distinct vulnerabilities across two classes. These vulnerabilities might allow an attacker to inject arbitrary HTML, CSS or Javascript, i.e. Cross-Site Scripting (XSS) into an application's output.

He gives a list of four recommendations that CodeIgniter 2.0.2 users can take to creating (or updating) their applications including using HTMLPurifier when you need sanitization and ensuring that views and templates from third parties are clear of XSS issues.

It's really hard to decide what data is acceptable, especially when user has permission to insert HTML content through form. [...] However, problem can be solved, and quite easily. Almost a year ago I was reading some random blog when I find out about HTML Purifier. Basically, it's library which can filter and fix any HTML.

He gives an example - running a web scraping tool against a site with malformed HTML. By running it through the HTML_Purifier package first, the errors were corrected and the "more correct" HTML source could be parsed easily. The package also helps to protect from XSS attacks via a whole set of filters included by default.

In Part 8 of the ongoing saga describing how to build a real world blog application using the Zend Framework we finally reach the point at which we concentrate on blog entries. At the end of this Part, we will be able to create and edit entries in preparation for Part 9 when we will explore displaying them to the world!

In this part, he shows how to add in the Entry controller with an Add action inside (and what code goes in them). He makes a Zend_Form extended form and throws in some validation, a use of HTMLPurifier and the code to push these entries into your database.

HTMLPurifer is possibly the most understated underpublicised quality library in PHP today. I consider it a fundamental standard library that is automatically included in every PHP web application I start these days.

This latest release candidate (their first!) includes updates on two major features - the use of autoloading and a change to the way you use the filters. Check out a demo of it in action or just download this latest release and try it out for yourself.

HtmlPurifier is a standards-compliant HTML filter library written in PHP. HTML Purifier will not only remove all malicious code (better known as XSS) with a thoroughly audited, secure yet permissive whitelist, it will also make sure your documents are standards compliant. [...] Although Codeigniter comes with it's own XSS filtering method, I prefer the use of the HtmlPurifier.

Installation is simple, involving only a four step process (including the download) and using it is just as easy. It's (basically) just a matter of loading the library and calling the purify method to output the corrected HTML.