Time for another question however....
I understand how the htmlspecialcharacters() and similar works, and I now understand
how to replace etc...
Currently I am using an example script to work on creating my own BBcode style editor for my
user submit form. After hours and hours and hours of looking at different help sites, i find the below
code the most pleasant for my needs.
As you can see, it strips and allows custom additions of permissions for allowed types.
My question comes to play where I wish it to NOT SHOW at all any html that it strips.
Mainly, I only want to allow the strings I create.
It currently strips the html then re-adds so that the browser does not view as html.
You can see my working example of this script at
http://vilificnews.info/dev/safe.php
Code: Select all
<?php
# remove unsafe html characters
# $html = our string which contains unsafe tags
#
# $allow_a = allow links in this string ?
# (only in the form of: [link]http://www.site.com[/link] ), 1=yes, 0=no
#
# $allow_img = allow images in this string ?
# (only in the form of: [img]http://www.site.com/image.gif[/img] ), 1=yes, 0=no
#
# $tags = allowed html tags
function safeHTML($html, $allow_a=0, $allow_img=0, $tags)
{
$html = preg_replace('/\0/', '', $html);
$html = preg_replace('/\&/', '\0', $html);
$html = htmlspecialchars($html);
if($tags)
{
$html = preg_replace("/<($tags).*?>/i", '<\1>', $html);
$html = preg_replace("/<\\/($tags)>/i", '</\1>', $html);
}
if($allow_a)
$html = ereg_replace("\[link](.*)\[/link]", "<a href=\"\\1\" target=\"_blank\">\\1</a>", $html);
else
$html = ereg_replace("\[link](.*)\[/link]", "", $html);
if($allow_img)
$html = ereg_replace("\[img](.*)\[/img]", "<img src=\"\\1\" border=\"0\" alt=\"\\1\">", $html);
else
$html = ereg_replace("\[img](.*)\[/img]", "", $html);
$html = preg_replace('/\0/', '&', $html);
return($html);
}
# our allowed tags
$allowed_tags = 'p|b|i|u|ul|ol|li';
# our test string
$html = 'some text <a href="http://www.blah.com">link</a> some text <b onMouseOver="alert();"> some text</b>';
# our conversion
$html = safeHTML($html, 0, 0, $allowed_tags);
# don't forget to view HTML source, and note that 'onMouseOver' parameter is removed
print($html);
?>