How can I allow my user to insert HTML code, without risks? (not only technical risks)

Question

I developed a web application, that permits my users to manage some aspects of a web site dynamically (yes, some kind of cms) in LAMP environment (debian, apache, php, mysql

Answer 1

The general best strategy here is to whitelist specific tags and attributes that you deem safe, and escape/remove everything else. For example, a sensible whitelist might be

,

,
,
1. , , ,

   , , 
   , . Alternatively, consider human-friendly markup like Textile or Markdown that can be easily converted into safe HTML.