Andy17 Posted August 25, 2010 Share Posted August 25, 2010 Hey guys, OK, so actually I have two questions that are kind of related. The first one is how I can allow users to use <i>, <b>, <strong> tags when submitting information in a form. I would like to allow certain tags so they can emphasize things in their text, but I still want to strip the rest for security reasons. I tried using strip_tags() with some exceptions as a second parameter, but as far as I understand, that just allows them to be displayed as text, not for the browser to make text bold for instance. Below is what I have now. function stripdata($data) { return trim(htmlentities(stripslashes($data), ENT_QUOTES)); } echo stripdata($someDataFromMySQL); I also want to ask if the solution above is 100% safe so that users can not submit malicious code that can execute when users' visit a page of mine that displays that code. Thank you in advance. Quote Link to comment Share on other sites More sharing options...
AbraCadaver Posted August 25, 2010 Share Posted August 25, 2010 strip_tags() strips all tags except what you tell it not to. The problem is that you are using htmlentities() which turns the < into < and the > into > so it won't display as HTML tags but text. Quote Link to comment Share on other sites More sharing options...
fortnox007 Posted August 26, 2010 Share Posted August 26, 2010 I am still a newbie but this sounds rather similar to a bad/good-word filter. or atleast bb-code I think if you would make a save array with stuff like <b> </b> and get the rest out that should do the trick. Atleast thats what my brains are telling me. I also found a document ones on google with regex that was used to do this. maybe have a go there. Quote Link to comment Share on other sites More sharing options...
Alkimuz Posted August 26, 2010 Share Posted August 26, 2010 dont let them use html-tags, but let them use bb-tags instead (like within this forum) so make your users know that they should use [b] and [/b], [u] and [/u] etc.. after getting the information in, use htmlspecialchars to remove all html-entries and make the code save: $data= htmlspecialchars(trim($_POST['data'])); store it and after that, just before placing the data, replace all the bb-tags with html again with str_replace: $data= str_replace("[b]", "<b>", $data); $data= str_replace("[/b]", "</b>", $data); $data= str_replace("[u]", "<u>", $data); $data= str_replace("[/u]", "</u>", $data); etc.. and after that, you can place the data echo $data; Quote Link to comment Share on other sites More sharing options...
fortnox007 Posted August 26, 2010 Share Posted August 26, 2010 Alkimuz may I ask if that prevents people from inserting sneaky javascripts. Because i read somewhere htmlspecialcaracters isn't save enough. Anyways Nice way, to put in bbcode check afterwards, instead of what i thought looking for them and than store. Very smart thank you. Quote Link to comment Share on other sites More sharing options...
Andy17 Posted August 26, 2010 Author Share Posted August 26, 2010 strip_tags() strips all tags except what you tell it not to. The problem is that you are using htmlentities() which turns the < into < and the > into > so it won't display as HTML tags but text. Yes, I realized that is what was causing the problem. Actually I was looking for a way to include exceptions with htmlentities() because I have always been told that's the best one to use. dont let them use html-tags, but let them use bb-tags instead (like within this forum) so make your users know that they should use [b] and [/b], [u] and [/u] etc.. after getting the information in, use htmlspecialchars to remove all html-entries and make the code save: $data= htmlspecialchars(trim($_POST['data'])); store it and after that, just before placing the data, replace all the bb-tags with html again with str_replace: $data= str_replace("[b]", "<b>", $data); $data= str_replace("[/b]", "</b>", $data); $data= str_replace("[u]", "<u>", $data); $data= str_replace("[/u]", "</u>", $data); etc.. and after that, you can place the data echo $data; Thanks, your code was good inspiration for me, but I decided to not use htmlspecialchars when inserting data. I am inserting my data 100% clean and original, except when I use mysql_real_escape_string. Then I take all of the needed security precautions (I hope) before displaying the data. It won't harm my database anyways. I did like this: function stripdata($data) { return trim(htmlentities(stripslashes($data), ENT_QUOTES)); } function showStyling($data) { $data = str_replace('[b]', '<b>', $data); $data = str_replace('[/b]', '</b>', $data); $data = str_replace('[u]', '<u>', $data); $data = str_replace('[/u]', '</u>', $data); $data = str_replace('[i]', '<i>', $data); $data = str_replace('[/i]', '</i>', $data); return $data; } echo nl2br(showStyling(stripdata($row['text']))); Thanks a lot for your post - it was a great help! Quote Link to comment Share on other sites More sharing options...
Alkimuz Posted August 26, 2010 Share Posted August 26, 2010 glad i could help nice solution at the end! Alkimuz may I ask if that prevents people from inserting sneaky javascripts. Because i read somewhere htmlspecialcaracters isn't save enough. Anyways Nice way, to put in bbcode check afterwards, instead of what i thought looking for them and than store. Very smart thank you. i'm not sure.. i've used it without problem, but than again, i don't have big websites that are under a lot of attack, i only prevent moderators from making mistakes maybe use it togethet with htmlentities for transforming anything that is left to make it saver? $data= htmlentities(htmlspecialchars(trim($_POST['data']))); thanks for the compliment ^^, the advantage in changing it afterwards is that you can edit your bb-coded text after storing it without transforming it again Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.