Jump to content

Safely embed HTML in a $string

ajoo

By ajoo
in PHP Coding Help

 Share

Recommended Posts

ginerjm Prolific Member

ginerjm

Posted
Posted

If YOU are creating the actual HTML codes, then there is no risk.  If the html is coming 'from' somewhere (dynamic, and not static so to speak) then you have to prepare it first.  You will have to run htmlentities() on it before outputting it tho.

Link to comment
Share on other sites
ajoo Prolific Member

ajoo

Posted
  • Author
Posted

Hi requinix and ginerjm !!

 

Thanks for the response ! Ya so the html escaping is not possible. As for the message, it could be a static or dynamic but I don't think it would include any user inputted data in it. 

 

However let's consider that the data is dynamic and also has some user input appended to the message. So I would like to know what's the best way to construct such a message so that it is perfectly safe.

 

Thanks loads ! 

Link to comment
Share on other sites
requinix Prolific Member

requinix

Posted
Posted

Unfortunately strip_tags() is only a partial solution. Consider something like

image
strip_tags() can allow the but it doesn't do any validation on the rest of the tag.

 

I don't think it would include any user inputted data in it.

Then there's no risk - just make sure the HTML is well-formed.

 

However let's consider that the data is dynamic and also has some user input appended to the message.

Can you reduce that to a situation where the user input does not contain HTML? You could always prompt for more than one piece of data if you needed to fit it into a sort of template.
Link to comment
Share on other sites
ajoo Prolific Member

ajoo

Posted
  • Author
Posted (edited)

hmmm ! How about as follows:

<?php 
         $username = $_POST['username'];
         .
         .

         $msg = "<p> This is a test </p>".html_escape($username);
         .
         .
         .  
         echo $msg;
?> 
 

Would not that sort the issue of a user input that is included?

Edited by ajoo
Link to comment
Share on other sites
ajoo Prolific Member

ajoo

Posted
  • Author
Posted (edited)

Hi Guru Jacques, 

 

If you are referring to #9, that is the solution that I think should work. I am just asking for a confirmation.

 

This :

html_escape "<p> This is a test. </p></p>This is another.</p>"

is what won't work as i tested it.

 

Thanks !

Edited by ajoo
Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.