Add safe_html() for XSS-safe WYSIWYG HTML sanitization

🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-12-25 23:39:42 +00:00
parent 1322bbf988
commit 1abbac58e7
419 changed files with 39662 additions and 154 deletions
--- a/app/RSpade/man/safe_html.txt
+++ b/app/RSpade/man/safe_html.txt
@@ -0,0 +1,66 @@
+SAFE_HTML(1)                    RSpade Manual                    SAFE_HTML(1)
+
+NAME
+    safe_html - Sanitize HTML from WYSIWYG editors to prevent XSS attacks
+
+SYNOPSIS
+    PHP:  safe_html(string $html): string
+    JS:   safe_html(html_string)
+
+DESCRIPTION
+    Filters potentially malicious HTML while preserving safe formatting tags.
+    Use for all user-generated rich text content before display.
+
+    Both PHP (HTMLPurifier) and JS (DOMPurify) implementations use matching
+    allowed tags and attributes for consistent behavior.
+
+WHAT GETS STRIPPED
+    - <script> tags and contents
+    - Event handlers (onclick, onerror, onload, etc.)
+    - javascript: and data: URLs
+    - <iframe>, <object>, <embed> tags
+    - <style> tags and style attributes with expressions
+    - Any tag/attribute not in the allowed list
+
+ALLOWED TAGS
+    p, br, strong, b, em, i, u, s, strike, a, ul, ol, li, blockquote,
+    h1, h2, h3, h4, h5, h6, pre, code, img, table, thead, tbody, tr, th, td,
+    div, span
+
+ALLOWED ATTRIBUTES
+    href, title, target (on links)
+    src, alt, width, height (on images)
+    class (on all elements)
+
+EXAMPLES
+    PHP:
+        $clean = safe_html($user_input);
+        echo $clean;  // Safe to output
+
+    JS:
+        const clean = safe_html(editor.getHTML());
+        container.innerHTML = clean;  // Safe to insert
+
+    Input:  <p>Hello <script>alert(1)</script></p>
+    Output: <p>Hello </p>
+
+    Input:  <a href="javascript:alert(1)">click</a>
+    Output: <a>click</a>
+
+    Input:  <img src="x" onerror="alert(1)">
+    Output: <img src="x">
+
+USAGE PATTERN
+    Always sanitize on the server before storing OR before display.
+    Sanitizing on both client and server provides defense in depth.
+
+    // Controller - sanitize before saving
+    $model->description = safe_html($params['description']);
+
+    // Or sanitize on display in template
+    <%!= safe_html(this.data.description) %>
+
+SEE ALSO
+    html() - Escape all HTML (for plain text, not rich text)
+
+RSpade Framework                  December 2025                   SAFE_HTML(1)