Sanitizing user submitted html

Looking for advice and code to sanitize html submitted through a cms system.

Permissible content:



html
javascipt


Not Allowed:



php
are there other things that should be excluded?

I realize allowing javascript is also risky, but have to allow it so users can include 3rd party widgets, etc.

Thanks

Well, if you're going to allow html and javascript, you've pretty much done yourself out of any sanitisation. The simple fact that javascript is allowed, means your site is open to anything - including cross-site hacks and viruses, unless you moderate everything.

You don't need to strip PHP if you're just storing and echo()ing it out. Just don't include() or eval() it...

Another point here is: stripping out php is kinda awkward, but if you wanna pursue it properly, without "hacky" str_replace(), gimmie a shout.