I have a textarea setup with CKEditor (a WYSIWIG) in which the user is allowed to enter information with a few markup options. However I need to stop potential hackers exploiting this feature and entering malicious code.
I can strip out the tags I don't want using PHPs strip_tags() using an array of allowed tags: http://php.net/manual/en/function.strip-tags.php
However the possibility still remains that an attacker could simply add onload or onclick etc to any HTML tag that is on the allowed list.
So what would be my best option to check for this type of issue?
My initial thought is to create a blacklist array of these JavaScript functions and then see if any of them occur within the entered data.
Does that sound like a good way to do it or are there better alternatives?
Use more robust tool like http://htmlpurifier.org/
It allows you sanitize input, add allowed attributes, tags. You will have more control.
I highly recommend you create whitelist, instead of blacklist. With blacklist you may skip some dangerous attributes, while with whitelist you allow what you want.