#1
  1. watch for flying fingers
    Devshed Novice (500 - 999 posts)

    Join Date
    Feb 2003
    Location
    Rocket City, USA
    Posts
    819
    Rep Power
    378

    what html is safe html from user input?


    I'm writing a script that takes user input and prints it out to the browser. I would like to allow my users to use html in their posts. Currently, I am stripping table tags (for cosmetic reasons) and img tags (because the user is supposed to specify images in a different location). Are there any additional html tags that need to be stripped out for reasons of security?
  2. #2
  3. mod_dev_shed
    Devshed Supreme Being (6500+ posts)

    Join Date
    Sep 2002
    Location
    Atlanta, GA
    Posts
    14,817
    Rep Power
    1099
    You might want to look at this from the other angle: what tags do you want to allow? Not sure the application, but it seems that there is no reason to allow much more than simple inline tags like <i> and <b>.
  4. #3
  5. watch for flying fingers
    Devshed Novice (500 - 999 posts)

    Join Date
    Feb 2003
    Location
    Rocket City, USA
    Posts
    819
    Rep Power
    378
    good point, thanks.
  6. #4
  7. 11
    Devshed Demi-God (4500 - 4999 posts)

    Join Date
    Jul 2001
    Location
    Lynn, MA
    Posts
    4,635
    Rep Power
    82
    I believe you're a perl person- Check out HTML::TagFilter, which allows you to do VERY specific HTML filtering, even down to specific classes and attributes. It's *very* nice.

IMN logo majestic logo threadwatch logo seochat tools logo