Escaping HTML


I’m building some web app where users are allowed to style their textarea input. I will use tinymce for that, so my question is, is it enough to filter HTML data with DOMDocument class by whitelisting HTML tags and attributes? Am I safe from XSS attacks?

1 Like

For maximum control, whitelist a very small subset of HTML, such as bold, italic, underline. You don’t need to give them everything.

1 Like

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.