I'm trying to create a BBCode for a forum and unfortunately the user's input needs to go into an HTML attribute. I don't know much about XSS attacks, except that it's a very real and potentially serious problem. My question is, how can I prevent an XSS attack if the user input must go inside an HTML attribute?

Would using str_replace() to erase any quotes or apostrophes in the user input be enough to prevent an XSS attack?

Don't allow any <script> tags and don't exec() any user input code.

But that wouldn't stop XSS attacks as described in this thread, right?

For BBCode why would you allow the event attributes to be populated?

I'm trying to allow LaTeX on a forum and the images are generated like this:

Code:

<img src="http://latex.codecogs.com/gif.latex?userinput"/>

So I need to parse the user input and delete whatever characters create an XSS vulnerability. Most of the characters on the keyboard need to be allowed, though, because LaTeX uses most characters.

You just need to look for, and break character patterns that could present a risk factor

<script, onload,onunload, onclick, onmouse*, exec(, <?, <?php and so on

to kill them you simply insert a space somewhere in the sequence found.