preventing html comment injection

[php_begins]

hi,

Suppose, when a user enters something like <!--  TEST  -->  in my form field.

And later when I want to display it, how would it be possible to get rid of the html comments. Right now it displays nothing because of the comment symbols.

 

strip_tags just removes the anything b/w <>. Is there any method that would make it work?

 

[AbraCadaver]

It won't get rid of it but transform it and is a good idea before you display user submitted data:  htmlentities()

[fugix]

i would use str_replace()

$string = '<!-- TEXT -->';
$srch = '<!->';
str_replace($srch,'',$string);

[Adam]

If you just want to strip out HTML comments, you can use this:

 

$str = preg_replace('/<!--.*?-->/s', '', $str);

[gizmola]

i would use str_replace()

$string = '';
$srch = '';
str_replace($srch,'',$string);

 

Fugix, do you not see a problem with that code?  You might want to test a suggestion like that before you post it next time.

[fugix]

meh you're right Gizmo, my fault.

[php_begins]

thanks for the suggestion Gizmola!

[gizmola]

thanks for the suggestion Gizmola!

 

MrAdam's suggestion is what I'd run with.  Just wanted to clarify that Fugix's code would not work for you.