On Friday, March 15, 2002, at 03:17 PM, Alain Dresse wrote:
> I want to allow the users of my site to insert text with anchors, bold > and > italic html tags. I have filtered out all the other tags. I now want to > convert the other <, >, quote, double quote and & to html entities. If > I use > the function htmlspecialchars, it of course also quotes the "valid" > anchors. I was wondering about a similar scheme to this -- here's my idea: take all user input, and in addition to running it through error-checking functions, run it through htmlentities() to turn all of its HTML into entities. This prevents any user-input HTML from being created (it becomes "literal"). Then, running str_replace() for each HTML tag that I -want- to enable. str_replace is faster than any of the regex functions, from what I hear, and if I want to enable just b, i, em, strong, and a tags, it seems like I could just str_replace the entities for these to transform them back to proper tags (i.e. change "<b>" back to "<b>"). This seems like an efficient way to do it, but is it any faster or better than just using strip_tags() ? When I originally thought of doing it, it seemed like a good way of getting around the fact that user-specified JavaScript attributes are still allowed in strip_tags()-parsed text. But now that I think about it, there's no difference.... Erik -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php