Daniel (cyberai_dan) wrote in php,

Just say no... to BB tags!

It's a common practice when implementing a system requiring content submission that might include html tags, to strip the input fields of all html and get the users to use psuedo-tags instead, such as [ b ] instead of < strong > which will be replaced by the content-view script. This serves it's purpose by removing any mallicious code from the input text. It also limits the extent to which a user can alter the appearence of their submission, eg unable to post IFRAME or MARQUEE tags.

The downside to this method is that it needs the user to adapt to a modified and often custom tag system. It is also cumbersome code as you are having to do a lot more work than necessary, coding a set of tags and ways to parse them etc.

Enter PHP's strip_tags function. It is likely you will already be using this library function to remove unwanted html (possibly along with htmlspecialchars). But you might not know strip_tags has an optional argument of allowed html tags. Using this function with an array passed in of "safe" html tags you can easily save yourself a lot of hassle and allow the user to operate within the realm of proper-html instead of some new tag set!

Not sure if this will help anyone but I found it very useful in my own projects... enjoy!
  • Post a new comment


    default userpic

    Your reply will be screened

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.