Let's say I have a textarea to collect user inputs. Someone turns up and writes a html code (eg. a table of something, or a img tag with src to naked image, a div with 10000px width and height ....) instead of plain text into it. It wouldn't be nice when I print it on my website. How do I avoid it?


If you wanting to allow some html I recommend the HTML Purifier library. Kind of bulky but does the job.

The other way to prevent it from breaking your site, is to run the text through htmlentities so it will display as text no matter what.

Thanks. strip_tags() is fine.