殺菌javascript在<a onclick="sth" href =""> in user input

Question

From the user submitted post there are things like

<a onclick="sth()" href ="legitlink.html">some content</a> 

I would like to preserve the link so that the link can still be display, but the javascript part should be sterilized

<a href="legitlink.html">some content</a> 

How can this be done in php? Is there some extensions or frameworks that handle these kind of work automatically?

Answer 1

Don't try to make this by yourself - I bet you forgot some malicious code parts. There are testet libraries, which do a great job. I.e. have a look at HTML Purifier

require_once '/path/to/HTMLPurifier.auto.php'; 

$config = HTMLPurifier_Config::createDefault(); 
$purifier = new HTMLPurifier($config); 
$clean_html = $purifier->purify($dirty_html);