Jump to content

Allowing some HTML in submitted content


Andy17

Recommended Posts

Hey guys,

 

 

OK, so actually I have two questions that are kind of related. The first one is how I can allow users to use <i>, <b>, <strong> tags when submitting information in a form. I would like to allow certain tags so they can emphasize things in their text, but I still want to strip the rest for security reasons. I tried using strip_tags() with some exceptions as a second parameter, but as far as I understand, that just allows them to be displayed as text, not for the browser to make text bold for instance. Below is what I have now.

 

function stripdata($data) {
return trim(htmlentities(stripslashes($data), ENT_QUOTES));
}

echo stripdata($someDataFromMySQL);

 

I also want to ask if the solution above is 100% safe so that users can not submit malicious code that can execute when users' visit a page of mine that displays that code.

 

 

Thank you in advance. :)

Link to comment
Share on other sites

I am still a newbie but this sounds rather similar to a bad/good-word filter. or atleast bb-code

I think if you would make a save array with stuff like <b> </b> and get the rest out that should do the trick. Atleast thats what my brains are telling me. I also found a document ones on google with regex that was used to do this. maybe have a go there.

Link to comment
Share on other sites

dont let them use html-tags, but let them use bb-tags instead (like within this forum)

 

so make your users know that they should use

[b] and [/b], [u] and [/u] etc.. 

 

after getting the information in, use htmlspecialchars to remove all html-entries and make the code save:

 

$data= htmlspecialchars(trim($_POST['data']));

 

store it and after that, just before placing the data, replace all the bb-tags with html again with str_replace:

 

$data= str_replace("[b]", "<b>", $data);
$data= str_replace("[/b]", "</b>", $data);
$data= str_replace("[u]", "<u>", $data);
$data= str_replace("[/u]", "</u>", $data);
etc..

 

and after that, you can place the data :)

 

echo $data;	

Link to comment
Share on other sites

Alkimuz may I ask if that prevents people from inserting sneaky javascripts. Because i read somewhere htmlspecialcaracters isn't save enough.

Anyways Nice way, to put in bbcode check afterwards, instead of what i thought looking for them and than store. Very smart thank you.

Link to comment
Share on other sites

strip_tags() strips all tags except what you tell it not to.  The problem is that you are using htmlentities() which turns the < into < and the > into > so it won't display as HTML tags but text.

 

Yes, I realized that is what was causing the problem. Actually I was looking for a way to include exceptions with htmlentities() because I have always been told that's the best one to use. :)

 

dont let them use html-tags, but let them use bb-tags instead (like within this forum)

 

so make your users know that they should use

[b] and [/b], [u] and [/u] etc.. 

 

after getting the information in, use htmlspecialchars to remove all html-entries and make the code save:

 

$data= htmlspecialchars(trim($_POST['data']));

 

store it and after that, just before placing the data, replace all the bb-tags with html again with str_replace:

 

$data= str_replace("[b]", "<b>", $data);
$data= str_replace("[/b]", "</b>", $data);
$data= str_replace("[u]", "<u>", $data);
$data= str_replace("[/u]", "</u>", $data);
etc..

 

and after that, you can place the data :)

 

echo $data;	

 

Thanks, your code was good inspiration for me, but I decided to not use htmlspecialchars when inserting data. I am inserting my data 100% clean and original, except when I use mysql_real_escape_string. Then I take all of the needed security precautions (I hope) before displaying the data. It won't harm my database anyways. :)

 

I did like this:

 


function stripdata($data) {
	return trim(htmlentities(stripslashes($data), ENT_QUOTES));
}

function showStyling($data) {
	$data = str_replace('[b]', '<b>', $data);
	$data = str_replace('[/b]', '</b>', $data);

	$data = str_replace('[u]', '<u>', $data);
	$data = str_replace('[/u]', '</u>', $data);

	$data = str_replace('[i]', '<i>', $data);
	$data = str_replace('[/i]', '</i>', $data);

	return $data;
}

        echo nl2br(showStyling(stripdata($row['text'])));

 

Thanks a lot for your post - it was a great help!

Link to comment
Share on other sites

glad i could help :) nice solution at the end!

 

Alkimuz may I ask if that prevents people from inserting sneaky javascripts. Because i read somewhere htmlspecialcaracters isn't save enough.

Anyways Nice way, to put in bbcode check afterwards, instead of what i thought looking for them and than store. Very smart thank you.

 

i'm not sure.. i've used it without problem, but than again, i don't have big websites that are under a lot of attack, i only prevent moderators from making mistakes ;)  maybe use it togethet with htmlentities for transforming anything that is left to make it saver?

 

$data= htmlentities(htmlspecialchars(trim($_POST['data'])));

 

thanks for the compliment ^^, the advantage in changing it afterwards is that you can edit your bb-coded text after storing it without transforming it again ;)

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.