I recently discovered Summernote and it seems it is a decent application, although I have stumbled upon a problem.
You are able to when you go into your source code add malicious HTML code like for example:
<plaintext>
<script>
So how can I prevent that using PHP? I do want users to be able to use certain style tags like for example:
<h1>
<p>
Which the editor uses automatically.
I know I can go ahead and use str_replace() to check if the string has any of the malicious HTML in it, but I figured there must be an easier way to do it.
Normally, the problem here is that you're using text in the context of HTML without escaping all the reserved entities properly, which can lead to the injection of arbitrary HTML like you describe. htmlspecialchars() is the normal solution for this problem.
However, you want to support HTML, but don't really want to support all of it. Therefore, you need a different solution entirely. HTML Purifier is one solution that does what you want. It parses the data and only passes through white-listed tags. From their documentation:
require_once '/path/to/HTMLPurifier.auto.php';
$config = HTMLPurifier_Config::createDefault();
$purifier = new HTMLPurifier($config);
$clean_html = $purifier->purify($dirty_html);