How can I secure user submitted HTML markup?

Question

Before I start I'd like to say I have read similar questions here but I don't think it really answers the question: Show HTML user input, security issue and Security risks from user-submitted HTML

I think these highlight the problems quite well but I am essentially asking advice for best practice in these circumstances.

I have been programming for a while and have just now come to the point where I want website administrators to submit HTML markup to display the content they want in their own sites.

Securing this content in the database is fine but now I want to display it on the site securely.

Even though, this feature is only available to the site admins I still want to secure against malicious script injections and try to prevent them breaking the page by using poor HTML.

Is the reality that I cannot safely guard against script injections as the threads above seemed to point out?

Do I use the mentality that if they break the site, it's down to them, or can I use some sort of markup validator when they update the content?

Answer 1

What do you think about markdown?

It's a safe way to submit html, and have libraries to most popular languages.

Answer 2

You're correct, if you allow to submit pure HTML - there's no way to prevent all possible injections. Even if you disable <script> tag in all it's possible combinations (and there're many) there're other ways like onfocus onmouseover events that can be used to run malicious code.

Answer 3

I would advice HTMLPurifier, it's the best solution out there for sure. Google it!