homepage Welcome to WebmasterWorld Guest from 54.204.231.110
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
Blocking html in posts
electricocean




msg:1262329
 5:27 am on May 9, 2005 (gmt 0)

Hi,
How would I block some html in post but allow some like links, images, anf fonts?

electricocean

 

Stormfx




msg:1262330
 5:43 am on May 9, 2005 (gmt 0)

Have a look here. Some interesting info in the comments:

[php.net...]

electricocean




msg:1262331
 4:53 am on May 11, 2005 (gmt 0)

Hi, thanks.

I read that article and it seamed like it only blocked certian codes you tell it to block. But I want to block everything except a couple of codes. I kep on reding and it said something about allowed_tags() so seearched that on google and I found this code fgetss() so I wrote this:

$news = fgetss($post, '', '<p><a><img><b><br><center><font><hr><i><li><marquee><strong><sub><sup>');

I thought it would work but it didn't.

any help is needed...

thanks,
electricocean

incrediBILL




msg:1262332
 5:25 am on May 11, 2005 (gmt 0)

Just remove all "<"'s from the text and all HTML and javascript are disabled.

tomda




msg:1262333
 6:27 am on May 11, 2005 (gmt 0)

This will encode - use of htmlentities()
function var_html_encode ($varia) {
$varia=rtrim($varia);
$varia=ltrim($varia);
$varia=str_replace("<br>","\r\n",$varia);
$varia=htmlentities($varia,ENT_QUOTES,"utf-8");
return $varia; }

This will decode - use of html_entity_decode()
function var_html_tagdecode($varia) {
$varia=html_entity_decode($varia,ENT_QUOTES);
$varia=strip_tags($varia, "<br>");
return $varia;}

Not the strip_tags function, meaning that all html elements are removed except the break element.

Hope this help.

electricocean




msg:1262334
 2:02 am on May 12, 2005 (gmt 0)

Hi,

so if I used this code:

function var_html_tagdecode($varia) {
$varia=html_entity_decode($varia,ENT_QUOTES);
$varia=strip_tags($varia, "<br>");
return $varia;}

does $varia mean the post?

and why are all the variables nambed $varia?

if the posting is $post = $_POST['news'];
could I do this:

$post = $_POST['news'];
$post=html_entity_decode($post,ENT_QUOTES);
$vpost=strip_tags($post, "<br>");
return $post;

?

Thanks for the help,

electricocean

tomda




msg:1262335
 5:45 am on May 12, 2005 (gmt 0)

The examples I gave above are functions, meaning that you should type them only once, save them in an external file (e.g. called post_var_function.php) and call the file using include_once() when needed (at the top of your script).

Then, if $post = $_POST['news'];
you can just say
$post = var_html_tagdecode($_POST['news']); to DECODE
$post = var_html_encode($_POST['news']); to ENCODE

REMINDER, always encode your variable before inserting them in your database (all your text data should be encoding using the encode function). Then, to retrieve the data, you can use any decode function you have created (e.g. one removing all tags, one leaving few tags like <b>, <i>, <br>, one leaving all tags). To sum up, you should have ONE encode function and MANY decode function.

Hope this help.

ergophobe




msg:1262336
 3:49 pm on May 12, 2005 (gmt 0)


I read that article and it seamed like it only blocked certian codes you tell it to block. But I want to block everything except a couple of codes.

You have it backwards - it strips everything except what you tell it not to strip. I think this is what you're looking for.

Sarah Atkinson




msg:1262337
 5:05 pm on May 12, 2005 (gmt 0)

there is also the htmlspecialchars() which changes the special chars into their...oh waht do you call them.... (&lt, &gt)? Anyway this prevents featherbrains from acedently writing invalid html tags when what they want is simply to emphasise text.

you can then use ereg_replace(item to be replaced, replaced with, $string)

you can then make up your own tags

ex.
$string='(link)www.nowhere.com(/link)'
ereg_replace('(link)', '<a href="',$string)
ereg_replace('(/link)', '">',$string)

you may have to escape some of the charicter with \\. I still have trouble with escaping charicters.

ergophobe




msg:1262338
 5:40 pm on May 12, 2005 (gmt 0)

- htmlspecialchars() or htmlentities() will transform the HTML so that it presents as text, so you see <b>bold</b> instead of bold.

- strip_tags will remove the HTML entirely except for the tags that you specify in the "allowed tags" list.

electricocean




msg:1262339
 2:30 am on May 13, 2005 (gmt 0)

Thaks for all the posts... it now works... YAY!

I was also wondering if the user skips a line in the post, and it atoumatically become <br> like in the webmasterworld posts.

thanks,
electricocean

yowza




msg:1262340
 3:04 am on May 13, 2005 (gmt 0)

the line breaks can be created with the nl2br() function.

electricocean




msg:1262341
 4:07 am on May 13, 2005 (gmt 0)

so my new code would be:

$post = $_POST['news'];
$strip = strip_tags($post, '<a><img><b><br><center><font><hr><i><li><marquee><strong><sub><sup>');
$news = nl2br($strip);

is this correct?

electricocean

electricocean




msg:1262342
 4:49 am on May 13, 2005 (gmt 0)

Yes that code works thanks guys

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved