Hi Seblod community,

i want to ask your opinion and thoughts about securing the content, which is generated by the visitors of your website. For example reviews, comments and so on. So this is not an issue related topic, but maybe the beginning of an interesting discussion :) And of course this is not only related to Seblod, but to all web solutions in general.

This is my starting point: I have a project where visitors can leave reviews and ask questions in a textarea. For the output i am using my own template so it is not difficult for me to strip away any tags with strip_tags and htmlspecialchars. But it is important for me that the output is structured at least with <br> and <p>. I know i could define some exceptions with strip_tags. But this is not a satisfying solution since it is not safe against XSS attacks in attributes.

So what i have done is that i included the open source library "HTMLPurifier" to filter any attributes in user-generated content. Its strips away any attributes without touching the tag itself. I know that there are also other solutions out there but for me the purifier does a good job.

So I am curious to know how other Sebloders handles this theme. What are your experiences so far?

kind regards