In our application, we allow user's to write their Bio using a WYSIWYG editor, but it often contains bad HTML that breaks our page. Is it a good idea to show the user bio inside an iframe so it doesn't affect the rest of the page? Or any better options?
Thanks
You may want to consider limiting your users to Markdown, just like what Stack Overflow uses for profiles, answers, etc.
For further reading, you may want to check the following:
Its thats not a bad idea, but why dont you validate the html before you save it? Or is it not bad just plain ugly? Most editors do have i.e clean office formatting. Or is it a bussiness requirement to allow entering HTML?
But iframe is the most safe way of doing it, I'd say go for it!
A solution would be to filter the HTML, to make sure it's "OK" :
A great tool that does that is HTMLPurifier (quoting) :
HTML Purifier is a standards-compliant HTML filter library written in PHP. HTML Purifier will not only remove all malicious code (better known as XSS) with a thoroughly audited, secure yet permissive whitelist, it will also make sure your documents are standards compliant
Basically, once the HTML has been typed by the user, before saving it to your database, you'd pass it through HTML Purifier, which will make sure it's valid, and remove any tag/attribute that you didn't specify as "allowed".