Andy Boyd

The secure your code article from A List Apart by “Niklas Bivald” has some great insights:

While most community managers already know these basics, here’s a short list for newcomers:

• Strip out single and double quotes or convert them to their HTML entities (‘ and ’ for opening and closing single quotes, “ and ” for opening and closing double quotes). Please note however, that this does not entirely protect you. An attacker could still use String.fromCharCode(39) in an eval() function.
• Convert < and > to < and >.
• Convert all line breaks to
  . If you do this on all code, including style tags, you will save yourself from an attack. See “IE, CSS and JavaScript”.
• Check your self-created code tags (such as [URL]) to make sure the user is not allowed to inject JavaScript in URLs or CSS.
• Consider stripping out the word “script” to prevent someone from trying to inject the word JavaScript. Keep in mind, though, that as far as IE is concerned, “ja\n\sc\nript” is valid.
• Use regular expressions (server side) to validate and sanitize user input, as described above
• Validate CSS input!