I was hoping to solicit an opinion:

There are some text areas where HTML-savvy users could choose to 
"embolden" their text or "emphasize" it by using HTML.  But if I use 
htmlspecialchars() or htmlentities(), then this is not possible, even 
though it makes my site safer by eliminating any HTML-related characters 
that could compromise the site (like <img> tags or trying to close the 
<textarea> tag and execute code).  But I have seen some sites 
(admittedly running Slash, which is Perl and not PHP-based) that accept 
certain tags.

Do sites do this by running htmlspecialchars() on their users' input, 
and then running a custom function that does substr() on "safe" 
entities, turning them back into true tags?  Or is there some other 
method of allowing only certain HTML tags?  BTW, the substr() idea is 
just something I came up with in the shower, and might not even properly 
work or be efficient.




Erik Price
Web Developer Temp
Media Lab, H.H. Brown

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to