Welcome to WebmasterWorld Guest from 54.224.160.42

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

Blocking html in posts

     
5:27 am on May 9, 2005 (gmt 0)

Full Member

10+ Year Member

joined:Aug 11, 2004
posts:253
votes: 0


Hi,
How would I block some html in post but allow some like links, images, anf fonts?

electricocean

5:43 am on May 9, 2005 (gmt 0)

Junior Member

10+ Year Member

joined:Apr 29, 2005
posts:169
votes: 0


Have a look here. Some interesting info in the comments:

[php.net...]

4:53 am on May 11, 2005 (gmt 0)

Full Member

10+ Year Member

joined:Aug 11, 2004
posts:253
votes: 0


Hi, thanks.

I read that article and it seamed like it only blocked certian codes you tell it to block. But I want to block everything except a couple of codes. I kep on reding and it said something about allowed_tags() so seearched that on google and I found this code fgetss() so I wrote this:

$news = fgetss($post, '', '<p><a><img><b><br><center><font><hr><i><li><marquee><strong><sub><sup>');

I thought it would work but it didn't.

any help is needed...

thanks,
electricocean

5:25 am on May 11, 2005 (gmt 0)

Administrator from US 

WebmasterWorld Administrator incredibill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 25, 2005
posts:14650
votes: 94


Just remove all "<"'s from the text and all HTML and javascript are disabled.
6:27 am on May 11, 2005 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Jan 7, 2004
posts:929
votes: 0


This will encode - use of htmlentities()
function var_html_encode ($varia) {
$varia=rtrim($varia);
$varia=ltrim($varia);
$varia=str_replace("<br>","\r\n",$varia);
$varia=htmlentities($varia,ENT_QUOTES,"utf-8");
return $varia; }

This will decode - use of html_entity_decode()

function var_html_tagdecode($varia) {
$varia=html_entity_decode($varia,ENT_QUOTES);
$varia=strip_tags($varia, "<br>");
return $varia;}

Not the strip_tags function, meaning that all html elements are removed except the break element.

Hope this help.

2:02 am on May 12, 2005 (gmt 0)

Full Member

10+ Year Member

joined:Aug 11, 2004
posts:253
votes: 0


Hi,

so if I used this code:

function var_html_tagdecode($varia) {
$varia=html_entity_decode($varia,ENT_QUOTES);
$varia=strip_tags($varia, "<br>");
return $varia;}

does $varia mean the post?

and why are all the variables nambed $varia?

if the posting is $post = $_POST['news'];
could I do this:

$post = $_POST['news'];
$post=html_entity_decode($post,ENT_QUOTES);
$vpost=strip_tags($post, "<br>");
return $post;

?

Thanks for the help,

electricocean

5:45 am on May 12, 2005 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Jan 7, 2004
posts:929
votes: 0


The examples I gave above are functions, meaning that you should type them only once, save them in an external file (e.g. called post_var_function.php) and call the file using include_once() when needed (at the top of your script).

Then, if $post = $_POST['news'];
you can just say
$post = var_html_tagdecode($_POST['news']); to DECODE
$post = var_html_encode($_POST['news']); to ENCODE

REMINDER, always encode your variable before inserting them in your database (all your text data should be encoding using the encode function). Then, to retrieve the data, you can use any decode function you have created (e.g. one removing all tags, one leaving few tags like <b>, <i>, <br>, one leaving all tags). To sum up, you should have ONE encode function and MANY decode function.

Hope this help.

3:49 pm on May 12, 2005 (gmt 0)

Moderator

WebmasterWorld Administrator ergophobe is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 25, 2002
posts:8298
votes: 141



I read that article and it seamed like it only blocked certian codes you tell it to block. But I want to block everything except a couple of codes.

You have it backwards - it strips everything except what you tell it not to strip. I think this is what you're looking for.

5:05 pm on May 12, 2005 (gmt 0)

Preferred Member

10+ Year Member

joined:Apr 29, 2003
posts:424
votes: 0


there is also the htmlspecialchars() which changes the special chars into their...oh waht do you call them.... (&lt, &gt)? Anyway this prevents featherbrains from acedently writing invalid html tags when what they want is simply to emphasise text.

you can then use ereg_replace(item to be replaced, replaced with, $string)

you can then make up your own tags

ex.
$string='(link)www.nowhere.com(/link)'
ereg_replace('(link)', '<a href="',$string)
ereg_replace('(/link)', '">',$string)

you may have to escape some of the charicter with \\. I still have trouble with escaping charicters.

5:40 pm on May 12, 2005 (gmt 0)

Moderator

WebmasterWorld Administrator ergophobe is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 25, 2002
posts:8298
votes: 141


- htmlspecialchars() or htmlentities() will transform the HTML so that it presents as text, so you see <b>bold</b> instead of bold.

- strip_tags will remove the HTML entirely except for the tags that you specify in the "allowed tags" list.

2:30 am on May 13, 2005 (gmt 0)

Full Member

10+ Year Member

joined:Aug 11, 2004
posts:253
votes: 0


Thaks for all the posts... it now works... YAY!

I was also wondering if the user skips a line in the post, and it atoumatically become <br> like in the webmasterworld posts.

thanks,
electricocean

3:04 am on May 13, 2005 (gmt 0)

Preferred Member

10+ Year Member

joined:July 30, 2003
posts:430
votes: 0


the line breaks can be created with the nl2br() function.
4:07 am on May 13, 2005 (gmt 0)

Full Member

10+ Year Member

joined:Aug 11, 2004
posts:253
votes: 0


so my new code would be:

$post = $_POST['news'];
$strip = strip_tags($post, '<a><img><b><br><center><font><hr><i><li><marquee><strong><sub><sup>');
$news = nl2br($strip);

is this correct?

electricocean

4:49 am on May 13, 2005 (gmt 0)

Full Member

10+ Year Member

joined:Aug 11, 2004
posts:253
votes: 0


Yes that code works thanks guys