Board Thread:Code Review/@comment-4356266-20151008134915/@comment-24473195-20151010141219

"Not sure exactly how to escape html, as I do need to be able to include links and whatnot, as the end-users (or end-admins) sees fit."

You simply need to go through it line by line and validate all tags and input. Your two choices are :


 * 1) Either blacklist what you don't want or need
 * 2) Validate everything in the "$item" html

It is quite simple to breach your current script. An admin can easily go in and write the following notification (or someone can convince them that it is perfectly safe):

Clicking the "click me" link will allow one to do just about anything using javascript.