symfony - Twig: Allow HTML, but escape script -

i investigating possible xss attack vector application.

what have:

• formtype single textarea field. field can contain html tags.
• twig template renders data inserted.

i use form insert following content:

<b>some valid html text</b> <script type="text/javascript">alert("xss")</script> 

viewing data require escaping. familiar few strategies when comes escaping data.

1) raw filter: disables escaping -> introduces possible xss

2) e filter:

• html flavor outputs: <b>some valid html text</b> <script type="text/javascript">alert("xss")</script>
• js flavor outputs: \x3cb\x3esome\x20valid\x20html\x20text\x3c\x2fb\x3e\x0d\x0a\x3cscript\x20type\x3d\x22text\x2fjavascript\x22\x3ealert\x28\x22xss\x22\x29\x3c\x2fscript\x3e

3) {{ var|striptags('<br>')|raw }}, outputs: some valid html text alert("xss")

this 1 works, somehow don't it. rather looking black-list solution, not white-list.

now question:

is there other escaping strategy allows html tags escapes <script> tag e("js") filter does?

should "kill" script during form submission or during twig rendering?

i suggest adding new twig filter fits needs.

it should

{{var | filter_black_listed() }} 

and in filter logic add

class filterblacklistedextension extends \twig_extension {     private $blacklistedtags = ['script', 'p'];      public function getfilters()     {         return array(             new \twig_simplefilter('filter_black_listed', array($this, 'htmlfilter')),         );     }      public function htmlfilter($html)     {         foreach ($this->blacklistedtags $tag) {             preg_replace('/(<' . $tag . '>)(.*)(<\/' . $tag . '>)/g', '', $html);         }          return $html; // maybe apply raw filter afterwards.     }      public function getname()     {         return 'filter_black_listed_extension';     } } 

let me know if don't manage make work :)