I'm looking for a little advice. I'm setting up a page where users can post a profile page. I have set it up so that they can post bbcode to format the text a little and post images using [img ] tags etc. I'm considering the option of allowing some html to allow better formatting of the page.

I'm aware that there are exploits that people could take advantage of using javasript etc on people that would be browsing the page. My question is, which html tags could I allow that could in no possible way be used as part of an exploit or used to cause problems?

Another quick question, how can I show the submitted html unparsed (I need to be able to view it for moderation purposes)?

Thanks in advance.

Originally posted by MrEdd
My question is, which html tags could I allow that could in no possible way be used as part of an exploit or used to cause problems?

well atleast <b>, <em>, <ul>, <li> etc text formating tags are 100% safe to allow..

Originally posted by MrEdd
Another quick question, how can I show the submitted html unparsed (I need to be able to view it for moderation purposes)?

you can save the unparsed html to your db and then strip the unwanted tags before showing it to users...
something like:

echo strip_tags($html);

<br> <hr> should be safe too

Also watch out for tags that can screw up your lay out...

You can use strip_tags(); and also list which tags to not strip out. See php.net for exact syntax.

Anything that has url's and script is what you need to watch out for.