[eluser]geoffa[/eluser]
I'm working on a site that let's users edit HTML snippets and preview the results on the same page: <a href="http://showmehtml.com/">http://showmehtml.com/</a>
I had this feaure enabled with jQuery but removed it after being educated about cross site scripting attacks (XSS). I know CodeIgniter has a server-side XSS filter but wasn't sure how exactly to implement it in my particular situation.
In theory it seems like I could do the following:
- Have each form post via AJAX to a server-side script that runs the XSS filter
- Return the sanitized results to the page
Questions I have about this approach:
- Multiple forms on one page? Doesn't seem like it would work.
- Does the XSS filter remove markup entirely or just harmful markup? Since my site's purpose is to help people learn HTML, filtering all markup out wouldn't really work.
Thanks in advance for any advice. I'm going to work through some of these issues tonight but wanted to consults the experts first
-geoff