Limiting HTML Input into Text Box

Question

How do I limit the types of HTML that a user can input into a textbox? I'm running a small forum using some custom software that I'm beta testing, but I need to know how to limit the HTML input. Any suggestions?

Answer 1

i'd suggest a slightly alternative approach:

• don't filter incoming user data (beyond prevention of sql injection). user data should be kept as pure as possible.
• filter all outgoing data from the database, this is where things like tag stripping, etc.. should happen

keeping user data clean allows you more flexibility in how it's displayed. filtering all outgoing data is a good habit to get into (along the never trust data meme).