FAQ: Untrusted users and HTML February 24th, 2009

An input form that takes raw HTML. It’s a pretty common thing to see in web apps these days: many comment forms allow HTML, or some subset thereof; many social-network-style applications allow end-users to enter HTML in their profiles; etc. Unfortunately, allowing untrusted users to enter raw HTML is incredibly dangerous; read up on XSS if you don’t know why. So a common question that comes up in web developer circles deals with how best to “escape” user-entered HTML so that is safe for presentation.…