I've got a problem in my current project:
Users can send an email using a textarea. We allow the user to put in whatever they want, and thus some HTML for formatting.
For example, the user should be allowed to use the <b>
tag for bold text.
After completing their email, the user should be able to view a preview of their email dynamically.
There is a slight problem though, how can I avoid XSS hacks when the preview is being displayed?
You can ofcourse strip them using underscore.js
, but that wouldn't format their preview.
So I have forbidden all HTML tags for now, and only allowed tags like <hr>
, <b>
, etc.
What do you think about this solution? Is it secure enough?