I've been looking at incorporating a wysiwig editor in my PHP pages like tinyedit or iRite. Something very much like the box I'm entering this message in, it would have the ability to let the user add links, underlines, bold, etc into blog posts and comments.

However, does this necessarily open my users up to cross site scripting? I know just enough about cross site scripting to know that you're supposed to filter out the bad stuff with htmlentities, but if I do that on a message with formatting and links, won't I be killing those links and formatting as well?

What is the best practice?

Thanks in advance

If you look up strip_tags on the PHP website you can define a list of the allowable tags. For example the quick reply editor on Daniweb has bold (<b>, <strong>) italic (<i>) underline (<u>) paragraphs (<p>) spans (<span) and links (<a>) so you would set a function like

$Input = strip_tags($_POST['user_input'], '<b><strong><i><u><p><span><a>');

How do they handle code snippets, then? How are they kept in the message but kept from becoming live and danggerous

strip_tags removes php tags also: for javascript etc i use this function:

#this will strip javascript/html then prepare the script for inserting into database
function make_safe($string) {
    $string = preg_replace('#<!\[CDATA\[.*?\]\]>#s', '', $string);
    $string = strip_tags($string);
    $string = htmlentities($string, ENT_NOQUOTES, 'UTF-8', false);
    $string = stripslashes($string);
    $string = mysql_real_escape_string($string);
    return $string;

any additions would be welcome.

Member Avatar

Just one point - if tags aren't closed properly by the WW editor - there goes the rest of your page! Ensure that your editor / own code checks for closed tags and quotes.