Jump to content

Allowing some HTML in submitted content

Andy17

By Andy17
in PHP Coding Help

Recommended Posts

Andy17 Regular Member

Andy17

Posted
Posted

Hey guys,

 

 

OK, so actually I have two questions that are kind of related. The first one is how I can allow users to use <i>, <b>, <strong> tags when submitting information in a form. I would like to allow certain tags so they can emphasize things in their text, but I still want to strip the rest for security reasons. I tried using strip_tags() with some exceptions as a second parameter, but as far as I understand, that just allows them to be displayed as text, not for the browser to make text bold for instance. Below is what I have now.

 

function stripdata($data) {
return trim(htmlentities(stripslashes($data), ENT_QUOTES));
}

echo stripdata($someDataFromMySQL);

 

I also want to ask if the solution above is 100% safe so that users can not submit malicious code that can execute when users' visit a page of mine that displays that code.

 

 

Thank you in advance. :)

Link to comment
https://forums.phpfreaks.com/topic/211730-allowing-some-html-in-submitted-content/
Share on other sites
fortnox007 Regular Member

fortnox007

Posted
Posted

I am still a newbie but this sounds rather similar to a bad/good-word filter. or atleast bb-code

I think if you would make a save array with stuff like <b> </b> and get the rest out that should do the trick. Atleast thats what my brains are telling me. I also found a document ones on google with regex that was used to do this. maybe have a go there.

Alkimuz Member

Alkimuz

Posted
Posted

dont let them use html-tags, but let them use bb-tags instead (like within this forum)

 

so make your users know that they should use 

[b] and [/b], [u] and [/u] etc..

 

after getting the information in, use htmlspecialchars to remove all html-entries and make the code save:

 

$data= htmlspecialchars(trim($_POST['data']));

 

store it and after that, just before placing the data, replace all the bb-tags with html again with str_replace:

 

$data= str_replace("[b]", "<b>", $data);
$data= str_replace("[/b]", "</b>", $data);
$data= str_replace("[u]", "<u>", $data);
$data= str_replace("[/u]", "</u>", $data);
etc..

 

and after that, you can place the data :)

 

echo $data;

fortnox007 Regular Member

fortnox007

Posted
Posted

Alkimuz may I ask if that prevents people from inserting sneaky javascripts. Because i read somewhere htmlspecialcaracters isn't save enough.

Anyways Nice way, to put in bbcode check afterwards, instead of what i thought looking for them and than store. Very smart thank you.

Andy17 Regular Member

Andy17

Posted
  • Author
Posted

strip_tags() strips all tags except what you tell it not to.  The problem is that you are using htmlentities() which turns the < into < and the > into > so it won't display as HTML tags but text.

 

Yes, I realized that is what was causing the problem. Actually I was looking for a way to include exceptions with htmlentities() because I have always been told that's the best one to use. :)

 

dont let them use html-tags, but let them use bb-tags instead (like within this forum)

 

so make your users know that they should use 

[b] and [/b], [u] and [/u] etc..

 

after getting the information in, use htmlspecialchars to remove all html-entries and make the code save:

 

$data= htmlspecialchars(trim($_POST['data']));

 

store it and after that, just before placing the data, replace all the bb-tags with html again with str_replace:

 

$data= str_replace("[b]", "<b>", $data);
$data= str_replace("[/b]", "</b>", $data);
$data= str_replace("[u]", "<u>", $data);
$data= str_replace("[/u]", "</u>", $data);
etc..

 

and after that, you can place the data :)

 

echo $data;

 

Thanks, your code was good inspiration for me, but I decided to not use htmlspecialchars when inserting data. I am inserting my data 100% clean and original, except when I use mysql_real_escape_string. Then I take all of the needed security precautions (I hope) before displaying the data. It won't harm my database anyways. :)

 

I did like this:

 


function stripdata($data) {
	return trim(htmlentities(stripslashes($data), ENT_QUOTES));
}

function showStyling($data) {
	$data = str_replace('[b]', '<b>', $data);
	$data = str_replace('[/b]', '</b>', $data);

	$data = str_replace('[u]', '<u>', $data);
	$data = str_replace('[/u]', '</u>', $data);

	$data = str_replace('[i]', '<i>', $data);
	$data = str_replace('[/i]', '</i>', $data);

	return $data;
}

        echo nl2br(showStyling(stripdata($row['text'])));

 

Thanks a lot for your post - it was a great help!

Alkimuz Member

Alkimuz

Posted
Posted

glad i could help :) nice solution at the end!

 

Alkimuz may I ask if that prevents people from inserting sneaky javascripts. Because i read somewhere htmlspecialcaracters isn't save enough.

Anyways Nice way, to put in bbcode check afterwards, instead of what i thought looking for them and than store. Very smart thank you.

 

i'm not sure.. i've used it without problem, but than again, i don't have big websites that are under a lot of attack, i only prevent moderators from making mistakes ;)  maybe use it togethet with htmlentities for transforming anything that is left to make it saver?

 

$data= htmlentities(htmlspecialchars(trim($_POST['data'])));

 

thanks for the compliment ^^, the advantage in changing it afterwards is that you can edit your bb-coded text after storing it without transforming it again ;)

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.