1

Topic: Vulnerable?

Try processing:
<b onMouseOver="alert('hi');">Hello!</b>

It returns as you would expect it to unprocessed. Mousing over generates an alert.

2

Re: Vulnerable?

Perhaps you misunderstood htmLawed's default behavior.

By default, htmLawed will remove only an illegal attribute. It will not remove attributes like 'onmouseover' or tags like 'script' which you may consider dangerous in your specific environment.

If you desire to have htmLawed remove such 'dangerous' HTML, you have to configure htmLawed accordingly. E.g., with:

$config = array('safe'=>1);
$out = htmLawed($in, $config);

or

$config = array('deny_attribute'=>'onmouseover');
$out = htmLawed($in, $config);