get_input() will do all the work, just keep htmlawed enabled.
Elgg's API built in a way to protect you from XSS injections. All DB queries are sanitized by default, so unless you are writing a custom sql, you can bypass sanitizing.
get_input() will run user input through htmlawed and strip all unsafe tags, the rest will be sanitized before being added to the database.
info@elgg.org
Security issues should be reported to security@elgg.org!
©2014 the Elgg Foundation
Elgg is a registered trademark of Thematic Networks.
Cover image by RaĆ¼l Utrera is used under Creative Commons license.
Icons by Flaticon and FontAwesome.