I saw Kohana framework allowing users to optionally use HTMLPurifier against any possible XSS attacks.
I thought HTMLPurifier was meant to allow standard-compliant output of the HTML.
Does it help avoid XSS attacks 100% or probably to great extent? Or you would suggest something else.
Thanks
As for every possible piece of software, it can not be perfect, and there is always a risk that someone somewhere one day can find a security hole and exploit it.
So, no-one will tell you "it help avoid XSS attacks 100%"...
But, each time I've head of HTMLPurifier, it was in great terms -- and I've used it successfully a couple of times, and will use it again for some future projects.
So, I think that "probably to great extent" is your answer ;-)