Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I want users to be able to add custom html to the site and I want to avoid XSS attacks. How do I do this? I thought I would only allow a few tags like these:
[b], [i], [u], [img], [hr], [list], [color=X], [size=X], [font=X], [url]
and remove every thing else.
most would recommend using a bbcode parser extension for PHP. this means that you have the extension installed however. you could do this using regular expressions, but you would definitely need to be careful. nested tags will add more complication than regex is equipped to handle. you start having to use things like recursive regex replacements using callbacks, and don’t even get me started on what happens when users improperly nest their tags or put double quotes into their anchor urls.
using regex for bbcodes usually means you end up dying a grizzly death.