HTML Sanitization – Keeping website safe by prevent malicious attacks
HTML sanitization is the process of examining an HTML document and producing a new HTML document that preserves only whatever tags are designated “safe” and desired. HTML sanitization can be used to protect against cross-site scripting (XSS) attacks by sanitizing any HTML code submitted by a user. Source – Wikipedia
There are various types of sanitization depending upon different contexts.
In an HTML context, data is written into an HTML page as part of the content, for example inside a <p> tag.
In attribute context, user data is included as the attribute value of an HTML tag.
In attribute context, user data is included as the attribute value of an HTML tag. For event handling attributes like onmouseover, onclick, onfocus, onblur or similar, you need to be more careful. The best advice is to never ever put input data directly into an event handler.
A special case of the attribute context is URL context. The value of the href and src attributes of various elements are URLs and need to be treated as such.
Internet Explorer is the only major browser around that allows script execution within CSS using the expression syntax (deprecated and no longer supported in IE8 and later).
For further examples and more detailed information visit to Smashing Magazine.