I'm using HTMLPurifier to check for XSS in an entire HTML document. The problem is that it appears to strip out anyything that isn’t inside <body> tags. But, I want to keep everything, just look out for serious XSS attacks.
Any ideas how to allow <HTML>, <HEAD>, <META> etc.?
David, I just searched on the HTMLPurifier support forum and saw that you've been busy.
But perhaps you missed the posting from a few months ago that addresses your exact issue, specifically the reply:
Full document support will (ostensibly) come some time in the HTML Purifier 5.x series; we don't actually have the parsing code necessary to actually deal with full HTML documents.
Until then, you'll want to capture your head and DTD and re-add it to the purified doc.