I have a form that allows people to upload an html or a text file. I'm using $_FILES['storyfile']['type'] to check that the file uploaded is text/html or text/plain. The contents of that upload are then run through strip_tags to make sure that only the html tags that I think are acceptable stay -- the contents of that file are then written to the server as a .txt file. That .txt file is then included on other pages at some point in the script.
Now my concern is that someone could upload a file that has some evil code in it that they would then be able to run -- is what I've done enough to prevent that from happening? Or is there something else that I can do to make this more secure?
