Welcome to WebmasterWorld Guest from 54.205.209.95

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

Blocking html in posts

   
5:27 am on May 9, 2005 (gmt 0)

10+ Year Member



Hi,
How would I block some html in post but allow some like links, images, anf fonts?

electricocean

5:43 am on May 9, 2005 (gmt 0)

10+ Year Member



Have a look here. Some interesting info in the comments:

[php.net...]

4:53 am on May 11, 2005 (gmt 0)

10+ Year Member



Hi, thanks.

I read that article and it seamed like it only blocked certian codes you tell it to block. But I want to block everything except a couple of codes. I kep on reding and it said something about allowed_tags() so seearched that on google and I found this code fgetss() so I wrote this:

$news = fgetss($post, '', '<p><a><img><b><br><center><font><hr><i><li><marquee><strong><sub><sup>');

I thought it would work but it didn't.

any help is needed...

thanks,
electricocean

5:25 am on May 11, 2005 (gmt 0)

WebmasterWorld Administrator incredibill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Just remove all "<"'s from the text and all HTML and javascript are disabled.
6:27 am on May 11, 2005 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



This will encode - use of htmlentities()
function var_html_encode ($varia) {
$varia=rtrim($varia);
$varia=ltrim($varia);
$varia=str_replace("<br>","\r\n",$varia);
$varia=htmlentities($varia,ENT_QUOTES,"utf-8");
return $varia; }

This will decode - use of html_entity_decode()

function var_html_tagdecode($varia) {
$varia=html_entity_decode($varia,ENT_QUOTES);
$varia=strip_tags($varia, "<br>");
return $varia;}

Not the strip_tags function, meaning that all html elements are removed except the break element.

Hope this help.

2:02 am on May 12, 2005 (gmt 0)

10+ Year Member



Hi,

so if I used this code:

function var_html_tagdecode($varia) {
$varia=html_entity_decode($varia,ENT_QUOTES);
$varia=strip_tags($varia, "<br>");
return $varia;}

does $varia mean the post?

and why are all the variables nambed $varia?

if the posting is $post = $_POST['news'];
could I do this:

$post = $_POST['news'];
$post=html_entity_decode($post,ENT_QUOTES);
$vpost=strip_tags($post, "<br>");
return $post;

?

Thanks for the help,

electricocean

5:45 am on May 12, 2005 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



The examples I gave above are functions, meaning that you should type them only once, save them in an external file (e.g. called post_var_function.php) and call the file using include_once() when needed (at the top of your script).

Then, if $post = $_POST['news'];
you can just say
$post = var_html_tagdecode($_POST['news']); to DECODE
$post = var_html_encode($_POST['news']); to ENCODE

REMINDER, always encode your variable before inserting them in your database (all your text data should be encoding using the encode function). Then, to retrieve the data, you can use any decode function you have created (e.g. one removing all tags, one leaving few tags like <b>, <i>, <br>, one leaving all tags). To sum up, you should have ONE encode function and MANY decode function.

Hope this help.

3:49 pm on May 12, 2005 (gmt 0)

WebmasterWorld Administrator ergophobe is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month




I read that article and it seamed like it only blocked certian codes you tell it to block. But I want to block everything except a couple of codes.

You have it backwards - it strips everything except what you tell it not to strip. I think this is what you're looking for.

5:05 pm on May 12, 2005 (gmt 0)

10+ Year Member



there is also the htmlspecialchars() which changes the special chars into their...oh waht do you call them.... (&lt, &gt)? Anyway this prevents featherbrains from acedently writing invalid html tags when what they want is simply to emphasise text.

you can then use ereg_replace(item to be replaced, replaced with, $string)

you can then make up your own tags

ex.
$string='(link)www.nowhere.com(/link)'
ereg_replace('(link)', '<a href="',$string)
ereg_replace('(/link)', '">',$string)

you may have to escape some of the charicter with \\. I still have trouble with escaping charicters.

5:40 pm on May 12, 2005 (gmt 0)

WebmasterWorld Administrator ergophobe is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



- htmlspecialchars() or htmlentities() will transform the HTML so that it presents as text, so you see <b>bold</b> instead of bold.

- strip_tags will remove the HTML entirely except for the tags that you specify in the "allowed tags" list.

2:30 am on May 13, 2005 (gmt 0)

10+ Year Member



Thaks for all the posts... it now works... YAY!

I was also wondering if the user skips a line in the post, and it atoumatically become <br> like in the webmasterworld posts.

thanks,
electricocean

3:04 am on May 13, 2005 (gmt 0)

10+ Year Member



the line breaks can be created with the nl2br() function.
4:07 am on May 13, 2005 (gmt 0)

10+ Year Member



so my new code would be:

$post = $_POST['news'];
$strip = strip_tags($post, '<a><img><b><br><center><font><hr><i><li><marquee><strong><sub><sup>');
$news = nl2br($strip);

is this correct?

electricocean

4:49 am on May 13, 2005 (gmt 0)

10+ Year Member



Yes that code works thanks guys