Well, like someone else said, it's hard to look for and match stuff that isn't there. In addition to the security benefit, it's just easier to code something that looks for [b](.*)[/b] and replaces those tags with <b> and </b> (or <strong> and </strong> if you want to be technically correct).
Honestly, if you've got a small group of people like you say then just teach them HTML so they don't make mistakes like this. Or provide a "preview" mode so they can double check their work. ---John W. Holmes... PHP Architect - A monthly magazine for PHP Professionals. Get your copy today. http://www.phparch.com/ > -----Original Message----- > From: Andy Crain [mailto:[EMAIL PROTECTED] > Sent: Saturday, February 22, 2003 4:54 PM > To: [EMAIL PROTECTED] > Subject: RE: [PHP] preg_match question: locating unmatched HTML tags > > John, > Thanks. I'm considering that, but the application I'm working on is for > a small intranet that will be for only a small group of supervised > users, so vulnerability isn't such a large concern. > Andy > > > -----Original Message----- > > From: John W. Holmes [mailto:[EMAIL PROTECTED] > > Sent: Saturday, February 22, 2003 1:06 AM > > To: 'Andy Crain'; [EMAIL PROTECTED] > > Subject: RE: [PHP] preg_match question: locating unmatched HTML tags > > > > > I'm trying to build a regexp that would parse user-supplied text and > > > identify cases where HTML tags are left open or are not properly > > > matched-e.g., <b> tags without closing </b> tags. This is for a sort > > of > > > message board type of application, and I'd like to allow users to > use > > > some HTML, but just would like to check to ensure that no stray tags > > are > > > input that would screw up the rest of the page's display. I'm new to > > > regular expressions, and the one below is as far as I've gotten. If > > > anyone has any suggestions, they'd be very much appreciated. > > > > Letting users enter HTML is a bad idea. Even if you only let them use > > <b> tags, they can still put ONCLICK and mouseover effects for the > bold > > text to screw with your other users. > > > > Use a BB style code, such as [b] for bold, [i] for italics, etc. This > > way, you only match pairs and replace them with HTML and use > > htmlentities on anything else. This way an unmatched [b] tag won't be > > replaced with <b> and mess up your code. > > > > ---John W. Holmes... > > > > PHP Architect - A monthly magazine for PHP Professionals. Get your > copy > > today. http://www.phparch.com/ > > > > > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
