JavaScript keywords will be removed in pre/code tag

[paxter]

What is this feature about (expected vs actual behaviour)?

JavaScript elements will be removed in pre/code environment. In my opinion, content in pre/code tags should be left untouched (apart from character escaping).

How can I reproduce it?

$antiXss = new AntiXSS();

$text = "<pre>
.innerHTML
.appendChild
.onclick
</pre>";

echo $antiXss->xss_clean($text);

Result:

.

Does it take minutes, hours or days to fix?

I don't know.

Any additional information?

I'm not sure if it's a bug or intended behaviour. Maybe I should not use anti-xss on pre/code tags? This would make the usage much more complicated, because it's not possible anymore to insert any html into the xss_clean() function.

[paxter]

Any thoughts @voku?