What is a function that will allow output with HTML and avoid XSS attacks

Question

I am looking for a way or function that will allow me to display data from my mySQL database. The users are allowed to post articles, that I use mysql_real_escape_string to avoid SQL injections before inserting their post in the DB.

For my testing pursposes I write in a text area my post with tags like <b> <a> <i> <li>. Later I will use an editor like this one here on Stackoverflow to help users with their posts.

However, I am aware of XSS and just echoing straight from the DB may lead to XSS attacks. So, I choosed for my tests to output the content with htmlentities or htmlspecialchars. None of them will show me the post correctly with html.

Therefore, I used strip tags but as far as I know and read, is not safe.

What is a function that you may use too, that will let me output the data correctly, just like this and prevent XSS?

Answer 1

If you want to display html correctly you should print plain html as you get it. But for avoiding XSS try to remove javascript tags and don't allow load images from external resources.