How Can I Safely Output Content That Contains Html Tags?

I have a blog system, and the user has to input content into an html text area, including html tags such as

. This is stored in a database. If this input is then echoed to

Solution 1:

What you want is selective filtering or sanitization. In other words, you want to allow some HTML, but not other, possibly malicious tags. This is very tricky business, especially since HTML syntax is very complex and overly simple sanitization attempts are prone to errors which allow injection of tags through malformed HTML anyway.

If possible, you should stay away from letting your users submit HTML at all. Use a special markup language like Wiki markup, Markdown, BBcodes or similar.

If you are sure what you're doing, you should choose a good, well tested, robust library that provides such sanitization functions. HTML Purifier is the only one I know that fits this description.

Solution 2:

Well, you can just strip <script> tags, using strip_tags()this is not a bulletproof solution, but you can improve the safety by just allowing some tags (basically bold, italics, links and a few more)...

You can then easily print your content and avoid javascript execution.

$text = '<p>Test paragraph.</p><!-- Comment --><ahref="#fragment">Other text</a>';
echo strip_tags($text);
echo "\n";

// Allow <p>, <a> and some formatting
echo strip_tags($text, '<p><a><i><em><b><strong>');