How can I prevent users from entering HTML in a textarea?

mesh2005 · June 26, 2007

I want to add client-side (JS) and server-side (PHP) checks to prevent users from entering HTML into a textarea, how can I do so?

Thank you

TripleDES · June 26, 2007

I found this function for you in PHP: strip_tags( )

PHP won't prevent the user from entering HTML, but this function will strip it out.

corillo181 · June 26, 2007

you could use java script to see if they used anything other then simple text and numbers..

so check in to javascript..

php needs for you to submit the text so the user can enter it, but it wont work ..but with javascript they can't enter it at all.

ToonMariner · June 26, 2007

Implement both but javascript can be disabled so you MUST check server side to ensure no html is entered to be absolutely sure.

Azu · July 11, 2007

Don't even bother with the javascript.

Anyone wanting to find exploits is going to have javascript either completely killed, or just block whatever protection you put in it.

And on top of that, you will only piss off legitimate users, maybe forcing them to just give up entirely and not try to use the form ever again.

Just let PHP remove any bad data. No problems then.

Recommended Posts