This is pretty basic, and I recommend looking at all the string functions.
Basically, you want to use strip_tags() to get rid of the html (with optionally allowing SOME tags to be passed thru. Then use nl2br() to convert /n's (the only type of newline you're likely to receive via a web form) to <br />'s. Let's say we only want to allow <B><I><U>; <? $string = "<B>Bold</B>,<I>Italics</I>,<A HREF="foo.php">link</a>\n<U>underline</U>"; $string = strip_tags($string, "<B><I><U>"); $string = nl2br($string); echo $string; ?> This will print: <B>Bold</B>,<I>Italics</I>,link<br /><U>underline</U> Ie, every tag apart from the allowed tags has been stripped, and the \n has been changed to a break. Of course, all this is in the manual :) This doesn't strip out ALL evil however. There's been some discussion about the allowed tags having evil in them (eg <B onmouseover="javascript:self.close();">) recently, and you'd also want to trim the input down to a certain length (to save people flooding your server with 50mb of text or something :) The simple solution is not to think about what you KNOW of to be evil, but look at it the other way, and only accept what you consider safe, and throw out everything else. Justin French Justin French -------------------- Creative Director http://Indent.com.au -------------------- on 11/04/02 11:07 PM, David ([EMAIL PROTECTED]) wrote: > Hi all, > > I have a textarea which will containg info from the user. This then > needs to be parsed through something like htmlspecialchars() or > htmlentities(). > > The issue is that my system really needs to do the following: > > 1. Accept the info > 2. Check if there is any HTML syntax (<p>, etc) > 3. If YES: remove anything that might be harmful (eg FORM, etc) > 4. If NO: Add replace CR/LF with <BR> > > The idea is that normal formatting such as <b>, <i>, <u>, <a href> is > ok, but I do not want off illegal stuff. I want something a little like > Slashdot's stuff. > > Easy?? anyone know anything about this? > > Thanks > > David R > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
