I have comment system based on the forms and PHP catching POST. I'm trying to make some sort of formatting (bold, underscrores, italic...) but I'm using XSS protection: htmlspecialchars().
How to tell PHP not to parse and other tags? Is any JS editor which can edit text and send it as textarea?
Probably the safest way is to settle for something like markdown for the simple formatting and then convert that to HTML at the point of output.
If you want to use actual HTML, I would go for a whitelist approach of tags that you want to keep and using strip_tags with that whitelist as a first approach to it. Although using another format like markdown is probably the safer variant.
