Cleaning and Validating user input with htmLawed

htmLawed is a highly customizable single-file PHP script to make text secure, standard and admin policy-compliant for use in the body of HTML 4, XHTML 1 or 1.1, or generic XML documents. It is thus a configurable input (X)HTML filter, processor, purifier, sanitizer, beautifier, etc., and an alternative to the HTMLTidy application.

The lawing in of input text is needed to ensure that HTML code in the text is standard-compliant, does not introduce security vulnerabilities, and does not break the aesthetics, design or layout of web-pages. htmLawed tries to do this by, for example, making HTML well-formed with balanced and properly nested tags, neutralizing code that may be used for cross-site scripting (XSS) attacks, and allowing only specified HTML elements/tags and attributes
.
Features

• Make HTML markup in text secure and standard-compliant
• Process text for use in HTML, XHTML or XML documents
• Restrict HTML elements, attributes or URL protocols using black- or white-lists
• Balance tags, check element nesting, transform deprecated attributes and tags, make relative URLs absolute, etc.
• Fast, highly customizable, well-documented
• Single, 47 kb file
• Simple HTML Tidy alternative
• Use to filter, secure & sanitize HTML in blog comments or forum posts, generate XML-compatible feed items from web-page excerpts, convert HTML to XHTML, pretty-print HTML, scrape web-pages, reduce spam, remove XSS code, etc.

Using htmLawed is as simple as it gets. You can either include() the htmLawed.php file or copy-paste the entire code. htmLawed should work with PHP 4.3 and higher.
htmLawed is free and open-source software licensed under GPL license version 3, and copyrighted by Santosh Patnaik. You can find further information, demo & download on htmLawed Websiter.

Some of the Example Usage are::

    $config = array('safe'=>1);
    $out = htmLawed($in);

  Simplest, allowing all valid HTML markup except javascript: --

    $out = htmLawed($in);

  Allowing all valid HTML markup including javascript: --

    $config = array('schemes'=>'*:*');
    $out = htmLawed($in, $config);

  Allowing only safe HTML and the elements a, em, and strong --

    $config = array('safe'=>1, 'elements'=>'a, em, strong');
    $out = htmLawed($in, $config);

  Not allowing elements script and object --

    $config = array('elements'=>'* -script -object');
    $out = htmLawed($in, $config);

  Not allowing attributes id and style --

    $config = array('deny_attribute'=>'id, style');
    $out = htmLawed($in, $config);

  Permitting only attributes title and href --

    $config = array('deny_attribute'=>'* -title -href');
    $out = htmLawed($in, $config);

  Remove bad/disallowed tags altogether instead of converting them to entities --

    $config = array('keep_bad'=>0);
    $out = htmLawed($in, $config);

  Allowing attribute title only in a and not allowing attributes id, style, or scriptable on* attributes like onclick --

    $config = array('deny_attribute'=>'title, id, style, on*');
    $spec = 'a=title';
    $out = htmLawed($in, $config, $spec);

  Some case-studies.

  1. A blog administrator wants to allow only a, em, strike, strong and u in comments, but needs strike and u transformed to span for better XHTML 1-strict compliance, and, he wants the a links to be to http or https resources:

    $processed = htmLawed($in, array('elements'=>'a, em, strike, strong, u', 'make_tag_strict'=>1, 'safe'=>1, 'schemes'=>'*:http, https'), 'a=href');

  2. An author uses a custom-made web application to load content on his web-site. He is the only one using that application and the content he generates has all types of HTML, including scripts. The web application uses htmLawed primarily as a tool to correct errors that creep in while writing HTML and to take care of the occasional bad characters in copy-paste text introduced by Microsoft Office. The web application provides a preview before submitted input is added to the content. For the previewing process, htmLawed is set up as follows:

    $processed = htmLawed($in, array('css_expression'=>1, 'keep_bad'=>1, 'make_tag_strict'=>1, 'schemes'=>'*:*', 'valid_xhtml'=>1));

  For the final submission process, keep_bad is set to 6. A value of 1 for the preview process allows the author to note and correct any HTML mistake without losing any of the typed text.

  3. A data-miner is scraping information in a specific table of similar web-pages and is collating the data rows, and uses htmLawed to reduce unnecessary markup and white-spaces:

    $processed = htmLawed($in, array('elements'=>'tr, td', 'tidy'=>-1), 'tr, td =');