Displaying untrusted HTML using PHP

Posted by esryl on Stack Overflow See other posts from Stack Overflow or by esryl
Published on 2010-05-01T18:38:15Z Indexed on 2010/05/01 18:47 UTC
Read the original article Hit count: 309

Filed under:
|
|

I have a read a number of excellent questions and answers today about dealing with user input. I am now using htmlspecialchars() to display user data in the create/edit forms (but accepting the raw input via prepared PDO statements into my database).

The main question I know have is, what do you do when you are allowing the user to submit HTML which will then be displayed to the public. Obviously htmlspecialchars() is no longer suitable as it just encodes the tags and renders the content useless for purpose.

My application is currently accepting HTML from an admin for product descriptions. This would allow a malicious admin to inject potentially unsafe data into public facing pages.

How do people cope with this?

© Stack Overflow or respective owner

Related posts about php

Related posts about validation