Those WYSIWYGs invariably use CSS and inline styles to accomplish this rich formatting, thereby making your assertion ridiculous and this library now completely impractical. I hope that the next version will allow basic markup tags and restore the href to anchors.
The problem is that some XSS filters assume that the tag they are looking for is broken up by whitespace.
For example " Based on the same idea as above, however,expanded on it, using Rnake fuzzer.
A very quick test on the 4.2 Sanitizer shows that it totally removes strong tags, h1 tags, section tags and as mentioned above strips href attributes from anchor tags. So in other words, Anti Xss is now like an antidepressant.
You’ll feel a lot better after taking it, but you may end up killing yourself. I would have kept my mouth shut about this even though I’ve had my doubts about depending on the library over something DIY, but since I work with a bunch of copycat monkeys, I have to use whatever everyone else deems worthy of being included in a project (common sense be damned).
The very first OWASP Prevention Cheat Sheet, the XSS (Cross Site Scripting) Prevention Cheat Sheet, was inspired by RSnake's XSS Cheat Sheet, so we can thank him for our inspiration.