Php Security - Combining Functionality Of Strip_tags(); & Htmlspecialchars();
I want my forum users to be able to insert links and other allowed tags. For example I would like the following HTML in a post to display as the writer intended (i.e. as a function
Solution 1:
You pretty much need to use a full-featured HTML parser and sanitizer. The overall workflow is the following:
- The user enters their HTML
- You parse it with the parser
- You sanitize what was parsed by keeping only what you want (
<a>tags, but be wary ofonclickattributes, and similar).
You could look into HTML Purifier, and if it doesn't fit your needs, the HTML Purifier website has a comparison of other PHP sanitizers. I believe the default HTML Purifier configuration will retain links.
Obligatory reference: please refrain from using regex to parse HTML.
Solution 2:
I would suggest using stripslashes(), and if this is going to a database, also mysql_real_escape_string().
// without SQL.functionsafeData($data) {
$returnData = stripslashes(strip_tags(htmlspecialchars(trim($data))));
return$returnData;
}
// with SQL.functionsafeDataMySQL($data) {
$returnData = mysql_real_escape_string(stripslashes(strip_tags(htmlspecialchars(trim($data)))));
return$returnData;
}
Post a Comment for "Php Security - Combining Functionality Of Strip_tags(); & Htmlspecialchars();"