Blocking HTML and Javascript from being displayed on my site
- by Tim Powell
I am working on this new social networking site. One of it's various functions is posting. You can post to Facebook and my site, or Twitter and my site. That being said, I couldn't help but try and post HTML as I was testing sql injection. When I did, I noticed that there where ways to manipulate the site to, for instance, using a element to completely screw up the CSS design, or redirect a user to another site using javascript. That being said, I want to make my site a safe environment for my users... not a site that is used to distribute computer viruses, porn, and other things that might make someone tend to stay off of my site. When I searched this topic, I found ways to "strip" the HTML out of the $post variable before submitting it to the database. However, I would just like to make it so you can post any text, including HTML and Javascript, without the browser interpreting it as "run this..." code: I want to display it as plane text. I've seen it on Facebook, and when I looked at it the source code of a post, it showed <, /, and as regular text. I tried "dissecting" Facebook's source code, but found nothing. I have tried using tags such as <pre> and <code>, but because of the lack of ability to style and control them, I gave up and went back to just allowing HTML. Please, anyone who knows how to do this, please help me out.
Thanks in advance,
TP