I'm creating a mini-forum in PHP and I want to allow user posts with limited text formatting and embedding images, but I want to do it securely (XSS-wise) and I was wondering what's the most optimal approach of the ones below.
1) Strip all HTML tags from user input, and replace the WYSIWYG editor's controls with BBCode. Is strip_tags sufficient for this?
2) Allow HTML input through the WYSIWYG, but use a parser to convert the output from HTML to BBCode. Can anyone recommend a secure BBCode parser for this?
Any other ideas are more than welcome.
