I have a unique situation that I know there is a security issue, but not sure how to go about securing it.
I am allowing users to store 'notes' in the database. These notes can then be viewed by the user on the site. The notes can be anything and if there is at all any way possible I would like to keep it this way.
I am not worried about sql injection as the data goes into the database as I am using pdo and binding, however, when it comes to displaying the data to the user that is a different story.
Just off the top of my head take the following as examples :
<b>this is in bold</b>
<?php something something ?>
etc...
I want to be able to display these exactly as is, without having any of the html tags being read. When I display the first example it visibly shows as bold instead of the 'actual' text. of course, php, javascript, and anything would pose risks too.
I know I could wrap the display in <pre>, but someone could just add their own </pre> and then go about doing whatever they wanted, if hacking/injecting was their intent.
What is the solution here to show this data without worries, exactly as it was typed, or am I forced to strip tags/code? I really do not want to do that as the data would not be in its original state any longer.
Advice, ideas, etc are very appreciated.
EDIT :
As mentioned I would like to display the data exactly as it was originally entered.
