On Friday, March 15, 2002, at 03:17 PM, Alain Dresse wrote:
> I want to allow the users of my site to insert text with anchors, bold
> italic html tags. I have filtered out all the other tags. I now want to
> convert the other <, >, quote, double quote and & to html entities. If
> I use
> the function htmlspecialchars, it of course also quotes the "valid"
I was wondering about a similar scheme to this -- here's my idea:
take all user input, and in addition to running it through
error-checking functions, run it through htmlentities() to turn all of
its HTML into entities. This prevents any user-input HTML from being
created (it becomes "literal").
Then, running str_replace() for each HTML tag that I -want- to enable.
str_replace is faster than any of the regex functions, from what I hear,
and if I want to enable just b, i, em, strong, and a tags, it seems like
I could just str_replace the entities for these to transform them back
to proper tags (i.e. change "<b>" back to "<b>").
This seems like an efficient way to do it, but is it any faster or
better than just using strip_tags() ? When I originally thought of
doing it, it seemed like a good way of getting around the fact that
strip_tags()-parsed text. But now that I think about it, there's no
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php