disable html from showing

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
blacksnday
Forum Contributor
Posts: 252
Joined: Sat Jul 30, 2005 6:11 am
Location: bfe Ohio :(

disable html from showing

Post by blacksnday »

Phew! I never thought I would learn so much in the past 2 months I have been writing my script :)
Time for another question however....
I understand how the htmlspecialcharacters() and similar works, and I now understand
how to replace etc...

Currently I am using an example script to work on creating my own BBcode style editor for my
user submit form. After hours and hours and hours of looking at different help sites, i find the below
code the most pleasant for my needs.

As you can see, it strips and allows custom additions of permissions for allowed types.
My question comes to play where I wish it to NOT SHOW at all any html that it strips.
Mainly, I only want to allow the strings I create.
It currently strips the html then re-adds so that the browser does not view as html.

You can see my working example of this script at
http://vilificnews.info/dev/safe.php

Code: Select all

<?php

# remove unsafe html characters
# $html      = our string which contains unsafe tags
#
# $allow_a   = allow links in this string ?
# (only in the form of: [link]http://www.site.com[/link] ), 1=yes, 0=no
#
# $allow_img = allow images in this string ?
# (only in the form of: [img]http://www.site.com/image.gif[/img] ), 1=yes, 0=no
#
# $tags      = allowed html tags

function safeHTML($html, $allow_a=0, $allow_img=0, $tags)
{
     $html = preg_replace('/\0/', '', $html);
     $html = preg_replace('/\&/', '\0', $html);
     $html = htmlspecialchars($html);

     if($tags)
     {
          $html = preg_replace("/<($tags).*?>/i", '<\1>', $html);
          $html = preg_replace("/<\\/($tags)>/i", '</\1>', $html);
     }

     if($allow_a)
          $html = ereg_replace("\[link](.*)\[/link]", "<a href=\"\\1\" target=\"_blank\">\\1</a>", $html);
     else
          $html = ereg_replace("\[link](.*)\[/link]", "", $html);

     if($allow_img)
          $html = ereg_replace("\[img](.*)\[/img]", "<img src=\"\\1\" border=\"0\" alt=\"\\1\">", $html);
     else
          $html = ereg_replace("\[img](.*)\[/img]", "", $html);

     $html = preg_replace('/\0/', '&', $html);

     return($html);
}

# our allowed tags
$allowed_tags = 'p|b|i|u|ul|ol|li';

# our test string
$html = 'some text <a href="http://www.blah.com">link</a> some text <b onMouseOver="alert();"> some text</b>';

# our conversion
$html = safeHTML($html, 0, 0, $allowed_tags);

# don't forget to view HTML source, and note that 'onMouseOver' parameter is removed
print($html);

?>
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

strip_tags() :?: viewtopic.php?t=25494 may help too (found in the Useful Posts thread)
User avatar
blacksnday
Forum Contributor
Posts: 252
Joined: Sat Jul 30, 2005 6:11 am
Location: bfe Ohio :(

Post by blacksnday »

ok, I got it to not show any stripped html using

Code: Select all

$html = preg_replace('#</?.*?\>#','',$html);
if I don't use

Code: Select all

$html = preg_replace('@<script[^>]*?>.*?</script>@si','',$html);
with the above then nice errors occur with php closing tag.


however there is still one elusive
string I cannot figure out:

Code: Select all

<!-- window.location="http://www.yourdomain.com/"; // -->
anything between the <!-- stuff here //-->
Post Reply