I have a field that the user is allowed to enter HTML formatted info. What sort of things do people escape/remove that will keep things safe. Things I was thinking:
script tags
object tags
applet tags

Anything else?

hmm... off the top of my head, base tags, which will mess with the links on the page ;)

Will browsers obey that even if not in the head? I'll remove it anyway, because there's really no reason to allow it, but the HTML will only ever be displayed in the body.

Thanks

Instead of removing things, why not just allow certain things? This way you know exactly what you are letting through, rather than shooting in the dark of what you are not preventing.

What about frame and iframe tags? Aswell as form elements ... seems a good idea to exclude those too.

What about frame and iframe tags? Aswell as form elements ... seems a good idea to exclude those too.

Which is exactly my point. It would be easy to miss something in the filter, and make a loop-hole. That is all it would take to turn things bad. So I really think only allowing specific tags is safer than blocking specific tags. That way you know the submitted code can only be within the safe guidelines.

Theres an article on ALA about this Aaron:

http://alistapart.com/articles/secureyourcode2

mainly deals with XSS...but it's a good starting point.

i would suggest something akin to bbcode as they can format it all without actually using HTML and you can control what they use and what they dont use, it may be more work in the long run but in the end youll get exactly what you want