Thoughts

When getting any data in from a user, you should filter/sanitize the data depending on where it's going. PHP provides the filter_var and filter_input that can help with that. However, it seems to all depend on how well you use the filter types (FILTER_SANITIZE_STRING), etc. That helps clean the text up. HTMLPurifier is great at that also, and even helps close tags, which is a good defense.

Next, you would need to escape the text before sending it to the database using $this->db->escape() or one of the Query Builder commands that will auto-escape it for you. That makes sure it doesn't do anything bad during the save or retrieval process from the database.

Finally, you need to escape the data for use within the HTML itself, on display. This can be done with something like htmlspecialchars($message) that tries to encode the special HTML characters that can be used to do XSS attacks and the like into safe HTML characters. This step gets more complicated as you get more advanced in your skills and knowledge, because you start to realize there are different types of escaping that need to be done based on whether it's in your HTML body, or an attribute tag, or in javascript code, or a URL, or some combination of the above that needs multiple types of escaping. It's one of the hardest parts to do 100% correctly. The best tool I've found for doing that is Zend's Escaper. All of that said, though, in your case, doing htmlspecialchars() when you display it to the user is a great start.

I would start by trying filter_var first on the input. If that takes too much out, then you might need to do something manually using strip_tags to remove any tags that you don't want while white-listing tags you do want to allow.

Or, yes, disable all HTML/CSS in the input and use something like Markdown.

Support Development •  CodeIgniter 4 Foundations • Practical CodeIgniter 3  • CodeIgniter Tutorials