On Friday, March 15, 2002, at 03:17 PM, Alain Dresse wrote:
I want to allow the users of my site to insert text with anchors, bold
and
italic html tags. I have filtered out all the other tags. I now want to
convert the other , , quote, double quote and to html entities. If
I use
the function htmlspecialchars, it of course also quotes the valid
anchors.
I was wondering about a similar scheme to this -- here's my idea:
take all user input, and in addition to running it through
error-checking functions, run it through htmlentities() to turn all of
its HTML into entities. This prevents any user-input HTML from being
created (it becomes literal).
Then, running str_replace() for each HTML tag that I -want- to enable.
str_replace is faster than any of the regex functions, from what I hear,
and if I want to enable just b, i, em, strong, and a tags, it seems like
I could just str_replace the entities for these to transform them back
to proper tags (i.e. change lt;bgt; back to b).
This seems like an efficient way to do it, but is it any faster or
better than just using strip_tags() ? When I originally thought of
doing it, it seemed like a good way of getting around the fact that
user-specified JavaScript attributes are still allowed in
strip_tags()-parsed text. But now that I think about it, there's no
difference
Erik
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php