How to prevent XSS (Cross Site Scripting) whilst allowing HTML input

Question

I have a website that allows to enter HTML through a TinyMCE rich editor control. It\'s purpose is to allow users to format text using HTML.

This user entered conten

Answer 1

Regular expressions are the wrong tool for the job, you need a real HTML parser or things will turn bad. You need to parse the HTML string and then remove all elements and attributes but the allowed ones (whitelist approach, blacklists are inherently insecure). You can take the lists used by Mozilla as a starting point. There you also have a list of attributes that take URL values - you need to verify that these are either relative URLs or use an allowed protocol (typically only http:/https:/ftp:, in particular no javascript: or data:). Once you've removed everything that isn't allowed you serialize your data back to HTML - now you have something that is safe to insert on your web page.