There are several ways to solve this problem, but since you did not indicate which of the existing technologies you are using, it is difficult to provide anything other than rough answers.
Also, you haven't specified whether you want to enable or disable the ability to enter normal HTML into the field.
Method 1:
Sanitize the input along the way. When you are hosting something on the server, find the script tags and remove them.
This is actually much more complicated than you might expect.
Method 2:
Reset the data on the way back to the server. In PHP there is a function called
htmlentities
that will turn all HTML into which literally what has been printed is displayed.
The words <script>alert("hello")</script>
will appear on your page.
Method 3
White list
This is far beyond one post, and you really need to know your internal system, but it is possible to allow some HTML characters while disallowing others.
This is insanely difficult to get it right, and your really best bet is to use a library package that has been very well tested.
Jeremy J Starcher
source
to share