allowing users to add custom html to profile page [closed]

It's difficult to tell what is being asked here. This question is ambiguous, vague, incomplete, overly broad, or rhetorical and cannot be reasonably answered in its current form. For help clarifying this question so that it can be reopened, visit the help center. Closed 12 years ago.

I want users to be able to add custom html to the site and I want to avoid开发者_如何转开发 XSS attacks. How do I do this? I thought I would only allow a few tags like these:

[b], [i], [u], [img], [hr], [list], [color=X], [size=X], [font=X], [url]

and remove every thing else.

---

most would recommend using a bbcode parser extension for PHP. this means that you have the extension installed however. you could do this using regular expressions, but you would definitely need to be careful. nested tags will add more complication than regex is equipped to handle. you start having to use things like recursive regex replacements using callbacks, and don't even get me started on what happens when users improperly nest their tags or put double quotes into their anchor urls.

using regex for bbcodes usually means you end up dying a grizzly death.

---

Instead of dealing with the endless complexity of allowing users to program a website while maintaining security, wrap up the HTML with a simple UI. Akin to what you see right above the answers we post in SO. Click a button...get some bold...click...underline...etc

---

You could go with BBcode, Media Wiki formatting or straight HTML and you filter to allow only certain tags with certain attributes/values. You can also ease the task for your users with a RTE (Rich Text Editor)