How do you prevent your web page from breaking if a user submits an <iframe> element with no closing tag?

[andyandy28227]

I have a website where users are allowed to submit content --- if a user accidentally (or maliciously) puts <iframe> in their submission with no closing tag, it breaks the rest of the page. Is there anything that can be done (preferably server side via PHP) that won't allow the errant submission to break the rest of the web page?

Thanks in advance for your help.

[Gardner]

You'll need to parse the input and remove/ignore any tags like that.

[rachelle l]

This is a tough one, I would consider using a website called http://www.HowStuffWorks.com

[Robin T]

Short answer is you can't.

Your best option to minimize the accidental error is by providing a WYSIWYG (What You See Is What You Get) HTML editor ( http://en.wikipedia.org/wiki/HTML_editor ) such that your user edits the HTML page by clicking on buttons, like editting a MS Word document, and the HTML code is then generated automatically.

However, this does not prevent malicious users from injecting malicious code, like you already thought about. The malicious thing that can be done is not limited to creating a broken-looking page. Another thing they can do is, setting the 'src' of the iframe to the URL to send a spam message to your Facebook friends, for example. There are many others.

You'd usually allow users to edit the HTML page only if they 'own' the page, so they are responsible for what happens to the page. For example, in a Content Management System (CMS) software.