This is pretty basic, and I recommend looking at all the string functions.

Basically, you want to use strip_tags() to get rid of the html (with
optionally allowing SOME tags to be passed thru.  Then use nl2br() to
convert /n's (the only type of newline you're likely to receive via a web
form) to <br />'s.

Let's say we only want to allow <B><I><U>;

$string = "<B>Bold</B>,<I>Italics</I>,<A

$string = strip_tags($string, "<B><I><U>");

$string = nl2br($string);

echo $string;

This will print:
<B>Bold</B>,<I>Italics</I>,link<br /><U>underline</U>

Ie, every tag apart from the allowed tags has been stripped, and the \n has
been changed to a break.

Of course, all this is in the manual :)

This doesn't strip out ALL evil however.  There's been some discussion about
the allowed tags having evil in them (eg <B
onmouseover="javascript:self.close();">) recently, and you'd also want to
trim the input down to a certain length (to save people flooding your server
with 50mb of text or something :)

The simple solution is not to think about what you KNOW of to be evil, but
look at it the other way, and only accept what you consider safe, and throw
out everything else.

Justin French

Justin French
Creative Director

on 11/04/02 11:07 PM, David ([EMAIL PROTECTED]) wrote:

> Hi all,
> I have a textarea which will containg info from the user. This then
> needs to be parsed through something like htmlspecialchars() or
> htmlentities().
> The issue is that my system really needs to do the following:
> 1. Accept the info
> 2. Check if there is any HTML syntax (<p>, etc)
> 3. If YES: remove anything that might be harmful (eg FORM, etc)
> 4. If NO: Add replace CR/LF with <BR>
> The idea is that normal formatting such as <b>, <i>, <u>, <a href> is
> ok, but I do not want off illegal stuff. I want something a little like
> Slashdot's stuff.
> Easy?? anyone know anything about this?
> Thanks
> David R

PHP General Mailing List (
To unsubscribe, visit:

Reply via email to