2

I understand there are numerous similar questions; however, none correctly fully answer my question.

I'm allowing the user to add formatted HTML to a textfield (strong, ul, li). I will then need to safely display, avoiding any XSS etc.

Side note: Using prepared statements.

  1. Should I encode my HTML from the form using htmlentities() (or htmlspecialchars) and input that into the database. I also don't believe using html_entity_decode($html); would protect me from an XSS attack?

  2. I could run the strip_tags(); prior to inputting in MySQL. I'm not sure this is the best?

  3. If I allow the user to input HTML into MySQL and use htmlentities() to display, I want to render the HTML now display it.

user1040259
  • 6,369
  • 13
  • 44
  • 62
  • 3
    "I'm allowing the user to add formatted HTML to a textfield (strong, ul, li)". Best way is to use Markdown for that. – Stan Feb 16 '15 at 21:05
  • 5
    Don't store modified text - store it in the database in its original format. If you want to limit some tags' usage, use `strip_tags()`. Otherwise, just make sure you call `htmlspecialchars()` to prevent XSS at the time you _output_ the strings, not before storing them. But since you are allowing HTML input, you need to be really careful about what tags you accept and what _attributes_ you accept to prevent XSS. – Michael Berkowski Feb 16 '15 at 21:07
  • 1
    You can also use something like [`HTMLPurifier`](http://htmlpurifier.org/) if you need to get really specific about what you want to allow going in. – prodigitalson Feb 16 '15 at 21:12
  • 3
    If I understand the question correctly, OP `wants` the user to be able to enter HTML, including basic tags like , , etc, like many sites (such as ebay) do to allow the user to enter formatted text. So, stripping these tags out, or using `htmlspecialchars` would defeat the purpose. As prodigitalson mentioned, HTMLPurifier could be used to remove any scripting or malicious code from the HTML entered by the user. You can find some more ideas for solutions to this problem at http://stackoverflow.com/questions/3129899/what-are-the-common-defenses-against-xss. – mti2935 Feb 16 '15 at 22:30
  • Worth a read: http://kunststube.net/escapism/ – halfer Feb 17 '15 at 12:45

0 Answers0