I have html stored in the database and I need to output it to

Question

0

Editorial Team

Asked: May 22, 20262026-05-22T19:39:23+00:00 2026-05-22T19:39:23+00:00

I have html stored in the database and I need to output it to

0

I have html stored in the database and I need to output it to the page.

If I don’t escape() it, then I get the bold formatting I want, but I run the risk of getting an XSS from the unescaped html source.
If I escape() it, then it shows the raw html code bold text instead of bold text.

How can I escape everything, except some tags? I’m thinking to apply the escape(), then search for the  and  and unescape them. Would that work? Any security problems you see with it? I’m also not sure how I would search for the  tags. Regex for that maybe or what?

P.S. the escape() I mean is a function in Zend. I believe it’s the equivalent of htmlspecialchars().

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-22T19:39:25+00:00

Editorial Team

2026-05-22T19:39:25+00:00Added an answer on May 22, 2026 at 7:39 pm

Unescaping is the way to go. If you only whitelist a couple of tags to be converted back from the html escapes, then you won’t run into XSS exploits.

Workaround markups provide no advantage regarding that, as the many failed BBcode parsers prove.

(Instead of converting back and forth it might however be sensible to utilize HTMLPurifier instead.)

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I have html stored in the database and I need to output it to

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply