View Full Version : Sanitizing user submitted html

12-02-2010, 08:03 PM
Looking for advice and code to sanitize html submitted through a cms system.

Permissible content:


Not Allowed:

are there other things that should be excluded?

I realize allowing javascript is also risky, but have to allow it so users can include 3rd party widgets, etc.


12-02-2010, 08:53 PM
Well, if you're going to allow html and javascript, you've pretty much done yourself out of any sanitisation. The simple fact that javascript is allowed, means your site is open to anything - including cross-site hacks and viruses, unless you moderate everything.

You don't need to strip PHP if you're just storing and echo()ing it out. Just don't include() or eval() it...

Another point here is: stripping out php is kinda awkward, but if you wanna pursue it properly, without "hacky" str_replace(), gimmie a shout.