EchoFool Posted July 15, 2008 Share Posted July 15, 2008 I have a problem with my messages system where by if a user types in html in the block of text the reciever sees it as if its a page layout.. how do i stop that from happening? I currently have this before it goes into query: <?php $MessageText = mysql_real_escape_string(stripslashes($_POST['letter'])); ?> (from sender) And this for when it is echo'd (The reciever reading it) <?php echo ucfirst(nl2br(stripslashes($MessageText))); ?> Also tried: <?php echo ucfirst(stripslashes(nl2br($MessageText))); ?> Neither worked... Suggestions? Link to comment https://forums.phpfreaks.com/topic/114844-function-wont-clear-the-html-from-string/ Share on other sites More sharing options...
kenrbnsn Posted July 15, 2008 Share Posted July 15, 2008 You need to use the function htmlentities() on the output: <?php echo ucfirst(nl2br(htmlentitie(stripslashes($MessageText),ENT_QUOTES))); ?> Ken Link to comment https://forums.phpfreaks.com/topic/114844-function-wont-clear-the-html-from-string/#findComment-590556 Share on other sites More sharing options...
KevinM1 Posted July 15, 2008 Share Posted July 15, 2008 Slashes/escaping != HTML elements. Use either htmlentities or htmlspecialchars. Htmlentities: http://www.php.net/manual/en/function.htmlentities.php Htmlspecialchars: http://www.php.net/manual/en/function.htmlspecialchars.php Link to comment https://forums.phpfreaks.com/topic/114844-function-wont-clear-the-html-from-string/#findComment-590557 Share on other sites More sharing options...
rhodesa Posted July 15, 2008 Share Posted July 15, 2008 when printing, wrap it in htmlspecialchars() Link to comment https://forums.phpfreaks.com/topic/114844-function-wont-clear-the-html-from-string/#findComment-590559 Share on other sites More sharing options...
MadTechie Posted July 15, 2008 Share Posted July 15, 2008 use htmlentities(); edit:.. lol all on the same page Link to comment https://forums.phpfreaks.com/topic/114844-function-wont-clear-the-html-from-string/#findComment-590560 Share on other sites More sharing options...
EchoFool Posted July 15, 2008 Author Share Posted July 15, 2008 Hang on this can't work as i call a div when some one some one so now the message shows: <div class='quotetop'>QUOTE <span class=PositiveMoney> </span></div><div class='quotemain'><span class=NegativeMoney>Should not be red</span></div> Is there a way to give exceptions? Or to stop it on input rather than output? Link to comment https://forums.phpfreaks.com/topic/114844-function-wont-clear-the-html-from-string/#findComment-590586 Share on other sites More sharing options...
MadTechie Posted July 15, 2008 Share Posted July 15, 2008 what was the question ? Link to comment https://forums.phpfreaks.com/topic/114844-function-wont-clear-the-html-from-string/#findComment-590600 Share on other sites More sharing options...
EchoFool Posted July 15, 2008 Author Share Posted July 15, 2008 Basically on output say a user put <span class=name>text</span> it would take into affect if that class was a valid one. So to stop people using classes and divs i needed the function that you guys have suggested. So i used it, but then forgot that if a user quotes another user. The quote is constructed via "<div>" to seperate the quoted message from the actual message so people know what is being quoted. How ever with , htmlentities function it has now caused the quotes to just come out as a block of text... So messages that quoted a post now just looks like: <div class='quotetop'>QUOTE <span class=PositiveMoney> </span></div><div class='quotemain'><span class=NegativeMoney>Should not be red</span></div> So is there a way to allow certain div's with htmlentities and not others or some method of avoiding this problem? Link to comment https://forums.phpfreaks.com/topic/114844-function-wont-clear-the-html-from-string/#findComment-590638 Share on other sites More sharing options...
EchoFool Posted July 15, 2008 Author Share Posted July 15, 2008 Bump, any thoughts? Link to comment https://forums.phpfreaks.com/topic/114844-function-wont-clear-the-html-from-string/#findComment-590817 Share on other sites More sharing options...
discomatt Posted July 15, 2008 Share Posted July 15, 2008 This is where things get complex. your easiest bet is to use a BBCode parser, and use [ quote ][ /quote ] when quoting, then convert those to <div style="quote"></div> Link to comment https://forums.phpfreaks.com/topic/114844-function-wont-clear-the-html-from-string/#findComment-590824 Share on other sites More sharing options...
EchoFool Posted July 15, 2008 Author Share Posted July 15, 2008 I do have that.. if a user puts [Q] it converts to : <div class='quotetop'>QUOTE <span class=PositiveMoney> </span></div><div class='quotemain'><span class=NegativeMoney><?=$Message?> And [/Q] converts to: </span></div> But as you can see from above it won't allow it through.. unless im misunderstanding what you mean ? Link to comment https://forums.phpfreaks.com/topic/114844-function-wont-clear-the-html-from-string/#findComment-590842 Share on other sites More sharing options...
discomatt Posted July 15, 2008 Share Posted July 15, 2008 You want to call htmlentities, which won't affect [Q], THEN convert the [Q]s to HTML. Link to comment https://forums.phpfreaks.com/topic/114844-function-wont-clear-the-html-from-string/#findComment-590844 Share on other sites More sharing options...
EchoFool Posted July 15, 2008 Author Share Posted July 15, 2008 The output which has <div class etc Won't be detected as CSS or HTML because of the functions before it... so itll always come out as a block of chars and nothing else. So if i put [Q] to html ... the html will just come out as just chars .like it is already right? I can't get my head around this properly =/ Link to comment https://forums.phpfreaks.com/topic/114844-function-wont-clear-the-html-from-string/#findComment-590870 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.