On Friday, March 15, 2002, at 03:17 PM, Alain Dresse wrote:
> I want to allow the users of my site to insert text with anchors, bold
> and
> italic html tags. I have filtered out all the other tags. I now want to
> convert the other <, >, quote, double quote and & to html entities. If
> I use
> the function htmlspecialchars, it of course also quotes the "valid"
> anchors.
I was wondering about a similar scheme to this -- here's my idea:
take all user input, and in addition to running it through
error-checking functions, run it through htmlentities() to turn all of
its HTML into entities. This prevents any user-input HTML from being
created (it becomes "literal").
Then, running str_replace() for each HTML tag that I -want- to enable.
str_replace is faster than any of the regex functions, from what I hear,
and if I want to enable just b, i, em, strong, and a tags, it seems like
I could just str_replace the entities for these to transform them back
to proper tags (i.e. change "" back to "").
This seems like an efficient way to do it, but is it any faster or
better than just using strip_tags() ? When I originally thought of
doing it, it seemed like a good way of getting around the fact that
user-specified JavaScript attributes are still allowed in
strip_tags()-parsed text. But now that I think about it, there's no
difference
Erik
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php