try this (untested)


// replace < and > and friends with their html equivelants.
$input = htmlenitities($input);

$input = preg_replace("!&lt;(b|i|u)&gt;(.*?)&lt;/\\1&gt;!is", "<$1>$2</$1>",

echo $input;


I use something like this on one of my sites, though I check as the user
inputs the info whether or not there are matching opening and closing tags
before inputting to the db, and later echoing them out and doing the

Hope it helps, anyway.


"Justin French" <[EMAIL PROTECTED]> wrote in message
> Hi all,
> Further to a discussion we had yesterday about the danger of onLoad,
> onMouseOver, etc etc of allowed tags when using strip_tags(), I've decided
> to look at the issue from another angle.
> For the limited set of tags I usually allow on user input, <B><I><U>, I'm
> going take the approach of deleting anything I don't specifically TRUST,
> rather than deleting things I don't trust.
> For such simple tags, It seems to me to be a smarter move to delete
> in the tag apart from the actual tag.
> <B"anything else"> becomes <B>
> This eliminates the danger of people putting anything evil like
> onmouseover="javascript:self.close();" into my small set of allowed tags.
> So, I'd like a regexp which looks for multiple occurences of a tag (let's
> take <B> for an example), and throw out anything not needed.
> In English, I guess it looks like:
> look for a "<" followed by a "b" (case insensitive), then throw away
> anything up to the first ">" we find.
> Better still would be a regexp or function that checks for b|i|u, or a
> passed set of tags.
> I'm aware that this type of hard-line approach will prevent <B id="foo">,
> and I will also have problems on things like <FONT face="something"> and
> HREF="foo.php">, but I plan to devise some psuedo tags for links, and
> require font tags, image tags, etc etc.
> Many thanks in advance,
> Justin French

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to