Alright, I'd like to allow users to post comments with HTML, but also avoid things like abuse via scripts, iframes, and inline events.
How would I do this?
Printable View
Alright, I'd like to allow users to post comments with HTML, but also avoid things like abuse via scripts, iframes, and inline events.
How would I do this?
Why don't you pull the "CSS hidden input" trick? Don't make the input type as hidden because most bots won't change those. However, if you change one by CSS, then they will attempt to post data with that name.
Code:<input type="text" name="lastname" value="" style="display: none" />
Only allow a certain range of html tags that can run without parameters
Than you can use regular expressions to check if the tags are clean.
Because you have to avoid these type of entries
Code:<p onmouseover="eviljavascript.running;">blabla</p>
<img src="http://maliciousdomain.whatever/badscript.php">