)[^><]+?(?=<|$)#', array($this, 'postFilterCallback'), $html); } protected function postFilterCallback($matches) { // @see https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content $content = html_entity_decode($matches[0]); return str_replace( array('&', '"', "'", '<', '>', '(', ')', '/'), array('&', '"', ''', '<', '>', '(', ')', '/'), $content ); } } $config = HTMLPurifier_Config::createDefault(); $config->set('Filter.Custom', array(new HTMLPurifier_Filter_EscapeTextContent) ); $purifier = new HTMLPurifier($config); $clean_html = $purifier->purify($_POST["ir1"]); echo $clean_html; ?>