You want to accept text input from users: comments on your forum, entries in your wiki, et cetera. You want the users to be able to add formatting to their text. If they are allowed to use the full spectrum of HTML in their input, you run the risk of XSS or just broken-looking pages.

There are literally one million (1.0 x 10⁶) alternatives to HTML designed for this circumstance, allowing users to bold and link their text, but not include JavaScripts or external stylesheets or malicious </table> tags.

There’s BBCode, and Textile, and 999,998 others; Wikipedia, which uses its own markup language, has a good list.

You figure even the lamest user can learn to use [i] instead of <i>, and you’re right. The problem comes when the user has to remember which particular markup syntax to use on each of the literally one million sites he or she contributes to. That is a huge hassle.

As Jeff at Coding Horror and Jeremy at iRi point out, it’s much better to just use good old HTML, which if your users don’t know yet they will need to learn at some point. It’s fairly simple and readable, and most importantly it’s standard.

Of course you’ll want to accept a subset of HTML, not every last tag. Use a whitelist of acceptable tags and attributes, or, as Jeremy suggests, “compile” user input into good output.

See Also: