I have a PHP web applications. I do NOT want to allow users to post HTML to my site.If I simply run \[code\]strip_tags\[/code\]() on all data prior to saving into my database, will \[code\]strip_tags\[/code\]() be enough to prevent XSS?I ask because it's unclear to me from reading the documentation of strip_tags if XSS is prevented. There seems to be some bug with browser allowing \[code\]<0/script>\[/code\] (yes, a zero) as valid HTML.UPDATEI realize that I can simply run \[code\]htmlspecialchars\[/code\] on all outputted data; however, my thought is that - since I don't want to allow HTML in the first place, it's simply easier (and academically better) to clean my data once and for all, before saving in my database, then have to worry every time I output the data if the data is safe or not.
PHP: Prevent XSS with strip_tags()?
- Thread starter wolfturk
- Start date