Escaping HTML

Hello,

I’m building some web app where users are allowed to style their textarea input. I will use tinymce for that, so my question is, is it enough to filter HTML data with DOMDocument class by whitelisting HTML tags and attributes? Am I safe from XSS attacks?

For maximum control, whitelist a very small subset of HTML, such as bold, italic, underline. You don’t need to give them everything.

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.