Allow user submitted HTML in PHP

Question

I want to allow a lot of user submitted html for user profiles, I currently try to filter out what I don\'t want but I am now wanting to change and use a whitelist approach.

Answer 1

For those of you suggesting simply using strip_tags...be aware: strip_tags will NOT strip out tag attributes and broken tags will also mess it up.

From the manual page:

Warning Because strip_tags() does not actually validate the HTML, partial, or broken tags can result in the removal of more text/data than expected.

Warning This function does not modify any attributes on the tags that you allow using allowable_tags , including the style and onmouseover attributes that a mischievous user may abuse when posting text that will be shown to other users.

You CANNOT rely on just this one solution.