Best Practice: User generated HTML cleaning

Question

I\'m coding a WYSIWYG editor width designMode=\"on\" on a iframe. The editor works fine and i store the code as is in the database.

Before outputing the html i need

Answer 1

If you're really bent on allowing this, you should use a white list approach.

The best approach is probably to disallow HTML and use a simplified markup format instead; you can pre-render to HTML and store that in the database if performance is a concern. Avoiding these sorts of problems is one of the big reasons for using Markdown, Textile, reStructuredText, etc.

NOTE: I linked to GitHub-Flavored Markdown (GFM), not Standard Markdown (SM). GFM addresses some common problems that end-users have with SM.