I'm currently working on a website, where users can write articles with few format possibilities (like bold, italic, list...). I'm using a framework: CodeIgniter.

I'm a beginner, and I've heard some stuff about XSS. I would like to know what do you think about my implementation. I read this topic: What's the best method for sanitizing user input with PHP?

1) The user write his article, format it with BBCode. I'm using SCEditor.

2) When saving it into database, I'm using htmlspecialchars() to filter any suspect HTML tag. Am I supposed to do this when I'm saving data, or displaying data?

3) When I want to display the article on the website (for other uses for example), I convert BBCode tags into HTML tags.

Is it a right way to do it? Am I avoiding XSS?

I am obviously open to suggestions and advices.

Thanks for your answers

Codeigniter for validation has a property xss which will do all those staff

$this->form_validation->set_rules('username', 'Username', 'trim|required|min_length[5]|max_length[12]|xss_clean');

check out form validation Codeigniter:

http://ellislab.com/codeigniter/user-guide/libraries/form_validation.html

I "find and replace" using PHP, I don't think it's the most efficient way of doing it though.

<?php
    $malicious = "<script>alert(1)</script>";
    $malicious = str_ireplace("<", "", $malicious);
    $malicious = str_ireplace(">", "", $malicious);
    echo $malicious;
?>

<?php
$malicious = "<script>alert(1)</script>";
$malicious = strip_tags($malicious);
$malicious = htmlentities($malicious, ENT_QUOTES);
echo $malicious;
?>