I have a textarea setup with CKEditor (a WYSIWIG) in which the user is allowed to enter information with a few markup options. However I need to stop potential hackers exploiting this feature and entering malicious code.
I can strip out the tags I don't want using PHPs strip_tags() using an array of allowed tags: http://php.net/manual/en/function.strip-tags.php
However the possibility still remains that an attacker could simply add onload
or onclick
etc to any HTML tag that is on the allowed list.
So what would be my best option to check for this type of issue?
My initial thought is to create a blacklist array of these JavaScript functions and then see if any of them occur within the entered data.
Does that sound like a good way to do it or are there better alternatives?