HTML Purifier claims to have a robust yet permissive whitelist: this
page will allow you to see precisely what HTML Purifier's internal
whitelist is. You can
also twiddle with the configuration settings to see how a directive
influences the internal workings of the definition objects.
Modify configuration
You can specify an array by typing in a comma-separated
list of items, HTML Purifier will take care of the rest (including
transformation into a real array list or a lookup table).
Definitions
Parent of Fragment
HTML that HTML Purifier does not live in a void: when it's
output, it has to be placed in another element by means of
something like <element> <?php echo $html
?> </element>. The parent in this example
is element.
Strict mode
Whether or not HTML Purifier's output is Transitional or
Strict compliant. Non-strict mode still actually a little strict
and converts many deprecated elements.
#PCDATA
Literally Parsed Character Data, it is regular
text. Tags like ul don't allow text in them, so
#PCDATA is missing.
Tag transform
A tag transform will change one tag to another. Example: font
turns into a span tag with appropriate CSS.
Attr Transform
An attribute transform changes a group of attributes based on one
another. Currently, only lang and xml:lang
use this hook, to synchronize each other's values. Pre/Post indicates
whether or not the transform is done before/after validation.
Excludes
Tags that an element excludes are excluded for all descendants of
that element, and not just the children of them.
Name(Param1, Param2)
Represents an internal data-structure. You'll have to check out
the corresponding classes in HTML Purifier to find out more.