Avoid XSS and allow some html tags with JavaScript

Question

I\'ve got a problem in my current project: Users can send an email using a textarea. We allow the user to put in whatever they want, and thus some HTML for formatting. For e

Answer 1

Best way to avoid most of the XSS attacks is:

• By sanitizing your data so text is properly escaped before it hits the html (you can build exceptions for your and

  ---

  and others

• Using Content Security Policy to disable all inline scripting (also avoids man in the middle attacks): http://www.html5rocks.com/en/tutorials/security/content-security-policy/

These two together will make your site pretty robust