strip_tags + htmlentities + special in textarea with WYSING editor

I have a trouble with a textarea input that have a WYSING editor (Simple), the DB/rows are in UTF8_general_ci, and now i set the html text in the template with this:

htmlentities(utf8_decode($row['field'])

The problem is the WYSING editor, if the user put a <strong> <P> or si开发者_如何转开发milar, the text show in the template is the string code of the tag, not the code, because i use htmlentities, but if i not use this, and show the raw text, the problem is "the special tags", for example <script>, <iframe>.

The solution for this is the use of strip_tags(), allowing ONLY the used for the editor.. but one problem persist to this.. if the user, use for example <p onclick="alert('fckoff!')">HELLO!</p>, the alert is show because its allowed HTML tag.

Exists, any method, to allow ONLY certain tags + prevent scape special chars (like ', ", ñ, or '`´) + limit this "secutiry issures"?

Tanks!

you could make a function to remove any content you don't want, using regular expressions.

For example to remove the onclick js event you could do something like:

$field = preg_replace('/onclick=\"[^"]*\"/', '', $field);

for multiple tags you coud:

$field = preg_replace('/(onclick|onload|onwhatever|...)=\"[^"]*\"/', '', $field);

As you are using a custom CMS/Framework so its a very complicated thing, I suggest you to copy function(s) from a Framework like CodeIgniter, here you will find a good code (public function xss_clean) https://github.com/EllisLab/CodeIgniter/blob/develop/system/core/Security.php

You can modify it according to your need. And keep your code updated with the above link's function to be secure from new threats.