Answer
User-generated HTML must be treated as untrusted and sanitized before it is inserted into a page. • Prefer plain text output when rich HTML is not required. • When HTML is required, use a maintained allowlist sanitizer and remove dangerous elements, attributes, and URL schemes. • Combine sanitization with contextual output encoding, CSP, and server-side security controls.
💡 Simple Example
<article><h2>User post</h2><p>This paragraph was allowed by the sanitizer.</p></article>
⚡ Quick Revision
Render untrusted input as text or sanitize it with a strict allowlist before inserting HTML.