On Friday, March 15, 2002, at 03:17  PM, Alain Dresse wrote:

> I want to allow the users of my site to insert text with anchors, bold 
> and
> italic html tags. I have filtered out all the other tags. I now want to
> convert the other <, >, quote, double quote and & to html entities. If 
> I use
> the function htmlspecialchars, it of course also quotes the "valid" 
> anchors.

I was wondering about a similar scheme to this -- here's my idea:

take all user input, and in addition to running it through 
error-checking functions, run it through htmlentities() to turn all of 
its HTML into entities.  This prevents any user-input HTML from being 
created (it becomes "literal").

Then, running str_replace() for each HTML tag that I -want- to enable.  
str_replace is faster than any of the regex functions, from what I hear, 
and if I want to enable just b, i, em, strong, and a tags, it seems like 
I could just str_replace the entities for these to transform them back 
to proper tags (i.e. change "&lt;b&gt;" back to "<b>").

This seems like an efficient way to do it, but is it any faster or 
better than just using strip_tags() ?  When I originally thought of 
doing it, it seemed like a good way of getting around the fact that 
user-specified JavaScript attributes are still allowed in 
strip_tags()-parsed text.  But now that I think about it, there's no 


PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to