Displaying untrusted HTML using PHP
Posted
by esryl
on Stack Overflow
See other posts from Stack Overflow
or by esryl
Published on 2010-05-01T18:38:15Z
Indexed on
2010/05/01
18:47 UTC
Read the original article
Hit count: 306
I have a read a number of excellent questions and answers today about dealing with user input. I am now using htmlspecialchars() to display user data in the create/edit forms (but accepting the raw input via prepared PDO statements into my database).
The main question I know have is, what do you do when you are allowing the user to submit HTML which will then be displayed to the public. Obviously htmlspecialchars() is no longer suitable as it just encodes the tags and renders the content useless for purpose.
My application is currently accepting HTML from an admin for product descriptions. This would allow a malicious admin to inject potentially unsafe data into public facing pages.
How do people cope with this?
© Stack Overflow or respective owner