Register

If this is your first visit, please click the Sign Up now button to begin the process of creating your account so you can begin posting on our forums! The Sign Up process will only take up about a minute of two of your time.

Results 1 to 7 of 7
  1. #1
    Senior Member straight_up's Avatar
    Join Date
    Dec 2003
    Location
    Pennsylvania/Arizona
    Posts
    601
    Member #
    4309
    Hey, I'm trying to allow users to post an HTML-formatted bio on themselves.... We'll also be running AJAX. I don't want to set up a collision course here, so I need to filter out all Javascript. [minicode]strip_tags()[/minicode] won't quite get this (if I allow <a> tags, etc., which I will):
    HTML Code:
    <a href="javascript:something" onclick="someJS()">foo</a>
    What can I do?
    I am Alan Hogan (@alanhogan on Twitter). I like PHP, UI/UX design, and OS X.

  2.  

  3. #2
    Senior Member straight_up's Avatar
    Join Date
    Dec 2003
    Location
    Pennsylvania/Arizona
    Posts
    601
    Member #
    4309
    BUMP.
    Somebody here has to do this. How can I safely filter user input in PHP?
    I am Alan Hogan (@alanhogan on Twitter). I like PHP, UI/UX design, and OS X.

  4. #3
    Senior Member
    Join Date
    Aug 2003
    Posts
    444
    Member #
    2801
    Take a look at strip_tags().
    eKstreme
    eKstreme.com - Free website tools!
    fontfox - free fonts Hand-picked quality fonts.

  5. #4
    Senior Member straight_up's Avatar
    Join Date
    Dec 2003
    Location
    Pennsylvania/Arizona
    Posts
    601
    Member #
    4309
    Quote Originally Posted by eKstreme
    Take a look at strip_tags().
    Won't that still allow my example?
    I am Alan Hogan (@alanhogan on Twitter). I like PHP, UI/UX design, and OS X.

  6. #5
    Senior Member
    Join Date
    Aug 2003
    Posts
    444
    Member #
    2801
    Best way then is to have pseudo-HTML, like BBCode used right here on WDF. That way, you can check the URL before actually turning it into a link.
    eKstreme
    eKstreme.com - Free website tools!
    fontfox - free fonts Hand-picked quality fonts.

  7. #6
    Senior Member straight_up's Avatar
    Join Date
    Dec 2003
    Location
    Pennsylvania/Arizona
    Posts
    601
    Member #
    4309
    Clarification:
    I want to allow HTML, just not dangerous HTML. Is that asking the impossible?
    I am Alan Hogan (@alanhogan on Twitter). I like PHP, UI/UX design, and OS X.

  8. #7
    Senior Member Fallout's Avatar
    Join Date
    Aug 2003
    Location
    Richmond, Virginia
    Posts
    543
    Member #
    2748
    BBCode is the answer, unless you want to do tons of regex to pare down the HTML input into the accepted tags.


Remove Ads

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
All times are GMT -6. The time now is 06:55 PM.
Powered by vBulletin® Version 4.2.3
Copyright © 2019 vBulletin Solutions, Inc. All rights reserved.
vBulletin Skin By: PurevB.com