i try in short the HTMLpurifier library, after many input strings test i stack here, and i am wondering why this happened. Specifically, i have that function
function filterxss($var){
$config = HTMLPurifier_Config::createDefault();
$purifier = new HTMLPurifier($config);
return $purifier->purify($var);
}
With that input string
$a = '<</script>script type="text/javascript">alert("test");<</script>/script>';
with that
echo filterxss($a);
it print this as plain text in browser. The echo produces that
<script type="text/javascript">alert("test");</script>
Why the script wasnt executed ?
please dont vote negative. I ask for explanation
Source code of your purified elements is:
<script type="text/javascript">alert("test");</script>
So it shows as pure text, not script