Properly sanitize HTML input

[IchBin]

I have a script that I'm creating which allows users to submit news articles. I realize the caveats of allowing users to input such data, but the couple users who I allow to post I trust. These two like to design in their own apps which use some type of wysiwig to create their HTML layout. What I don't know as a coder, is the proper method of doing my best to sanitize this data. I don't really want to try and include some library that does all of this stuff. I'd like just a run down on how it could be done with my own coding.

 

I've done a few searches, but I'm not sure I know the right search terms to get what I'm looking for. If you have any links to other topics, that would be great.

 

Should all the HTML characters be converted to entities? Is it necessary?  That would mean I'd have to decode the HTML for display. Do I gain any security from having to do that? It doesn't sound like it to me.

 

Should I use addslashes()?

 

Of course mysql_real_escape_string() would be used on the query to insert. But I'm thinking I need to do more with the data before it gets inserted.

 

Basic steps to protect myself is all I'm looking for. Thanks for any input.

 

 

--edit--

 

Sorry, posted in installation. Would a mod please move me to the PHP code board...

[micah1701]

I'd say look in to using the strip_tags() functions: http://php.net/manual/en/function.strip-tags.php

 

on its own, it removes ALL html, but you can also specify which tags you want to allow, such as <p>,<strong>,<em>,<a> ect...

 

then yes, use mysql_real_escape_string() when you insert it into the database

[IchBin]

That's just it, I don't really want to strip any tags. I want to allow these two people to post any html they want. I just want to make sure I am able to protect my server as much as possible.

 

I'm guessing as long as I lock it down to them and make sure I do the appropriate escaping/cleaning before putting it into the database, that might be all I can do.

[mikesta707]

If you aren't worried about your users injecting harmful HTML into the news articles, than sanitizing isn't really a problem. html entities/decode might be good so you don't have to deal with quotes when inserting into the database (it turns quotes into entities also), but either way would be ok. One could argue that if you trust your users enough not to put harmful html into the news articles, you could trust them enough not to attempt to insert SQL injections.

 

Personally, I would strip all HTML tags and use a BBC code type system, but I don't trust anyone

[xyph]

BBCode is the way to go.

 

At the very least, remove any script, iframe, etc tags that allow outside information to be loaded into your site.

[mikesta707]

BBCode is the way to go.

 

At the very least, remove any script, iframe, etc tags that allow outside information to be loaded into your site.

 

In addition to this, also remember that people can use onXxx attributes (like onClick, onFocus, etc.) to insert javascript into your page. OnClick events may not seem very dangerous, but an event like onLoad with some javascript that did some bad stuff could potentially be devastating. However, this assumes that you do not trust the user inputting data. Simply stripping the tags that xyph suggested may very well suffice since you mentioned you trust the user input to a point

[IchBin]

Ok, thanks for the input gentlement. I'll go ahead and mark this solved. Just wanted to make sure there wasn't something I was missing.

[xyph]

Don't trust anyone. Use flexible bbcodes. Even the style attribute can be used for XSS attacks.

 

If you allow font options, paragraphs, tables, lists, images with alignment, possibly youtube or swf embeds (though swf embeds can be dangerous) - what else do you need?