Php And Disabling Html Tags how can i do this?

shadowx · June 1, 2006

Hello everyone

Im TRYING to make a forum and obviously for security i need to disable HTML tags being used in posts. i know how to use the str_replace() function but to be honest i think id have to do that for every single tag. I also trued using the html

<XMP> stuff </XMP>

tag but i need to be able to use the new line tag to make a new line as all the posts are stored as HTML. if this isnt clear let me give an example:

NEW POST PAGE > user makes new post and posts it > PHP PROCCESSOR PAGE MAKES HTML FILE > NEW HTML FILE CONTAINING THE POST > user veiws the post using a php page to retrieve the html and display it

hopefully that explains it better. so unless i can find another way of putting lnie breaks into the mesage i need to disable all html tags except the new line tag. im begining to think that html might not be ideal for storing the message data, but i was sure that an sql table had a character limit of 255 characters or am i wrong?

Thanx in advanced

rvalkass · June 1, 2006

Virtually ever single forum script out there uses a database, whether that be MySQL, SqLite, PostgreSQL or another system. As far as I am aware there isn't a character limit of 255 on things like the TEXT datatype in MySQL. This is how most forums store their post content, and it allows you to have long posts with no character limit, although many forums impose a character limit due to database size restrictions.As for the removing HTML tags, your best bet would be to remove all tags, so < anything > and then replace a linebreak with a special character, like the ? symbol. Then when you load the post, remove that symbol and replace it with a linebreak tag. If not then look at some tutorials or other forum scripts and see how they do it.

shadowx · June 1, 2006

Virtually ever single forum script out there uses a database, whether that be MySQL, SqLite, PostgreSQL or another system. As far as I am aware there isn't a character limit of 255 on things like the TEXT datatype in MySQL. This is how most forums store their post content, and it allows you to have long posts with no character limit, although many forums impose a character limit due to database size restrictions.As for the removing HTML tags, your best bet would be to remove all tags, so < anything > and then replace a linebreak with a special character, like the Ś symbol. Then when you load the post, remove that symbol and replace it with a linebreak tag. If not then look at some tutorials or other forum scripts and see how they do it.

Humm...i might give the database idea a go it would savea lot of hassle i guess it just made me think also with this forum that it seems to have each post stored as a HTML file, if you look at the address bar its topicname12345.html where 12345 is a random number.

I shall try using the database and such i think. God knows where i got the idea of a character limit then!

thanx

electriic ink · June 1, 2006

The topics aren't stored as html pages but in databases as rvalkass mentioned. The links to html pages that you see on the D2-Latest Topics Mod at the bottom and everywhere else are all virtual and are formed, somehow, using apache. To prove that they aren't proper pages but virtual, visit the URL below:

http://forums.xisto.com/topic/37546-php-and-disabling-html-tags-how-can-i-do-this/

[hr=shade].[/hr]

As for trying to stop people utilising html, try this code:

<? $post = str_replace ('<', '<', $post);	 $post = str_replace ('>', '>', $post); ?>

And for making new lines in the textbox turn into <br />

<? $post = nl2br ($post); ?>

To make it so that the break tag appears in HTML format rather than XHTML format, add the following code afterwards:

<? $post = str_replace ('<br />', '<br>', $post); ?>

$post being whatever the variable containing the post's data is and < and > are the ASCII codes for < and > so they won't render as html.

arcticsnpr · June 1, 2006

i think all your looking for is one small funcion:

htmlspecialchars(data);

I'm not sure if this is what you are looking for, but what this does is takes any html tags and puts them into english, so it will print out the html.
, arctic

shadowx · June 1, 2006

thanks for that electriic ink it makes sense, i think ill use a database and some of the functions below to strip the HTML and then do it that way.i learn something new every day! stil lhave no idea how i got the whole 255 character limit thing from though...it puzzled me how forums worked i just assumed they used some kind of file to store the data in, now i know differently!

Spectre · June 1, 2006

Little off-topic, but Xisto's method could be repeated using Apache's mod_rewrite (I'm not 100% sure what path Xisto takes, but I'm assuming it would similar to this):

RewriteRule ^/?forums/(.*)-t([0-9]*)\.html$ /path/script.php?tid=$2 [L,QSA]

This completely disregards the actual path, only taking into consideration the numbers which appear after the '-t' and before the '.html', and passing that value onto '/path/script.php' which can then do with it as it will. This URL rewriting is done on Xisto purely for SEO purposes; there are many other things you could use it for, though.

BuffaloHelp · June 1, 2006

Regretfully going off topic here.Xisto's forum, Invision, has built-in "disable HTML tags" under admin control. However, I'm sure when the admin's control is triggered it uses some reliable stripping method to cancel out the < html command > and post it as plain text.

beeseven · June 1, 2006

arcticsnpr is right, htmlspecialchars or htmlentities will convert < and > to < and >. It will also convert other things which you can find here: http://us2.php.net/manual/en/function.htmlentities.php

Tyssen · June 2, 2006

If you want to remove all HTML, you can use the strip_tags function: http://forums.xisto.com/no_longer_exists/

Spectre · June 3, 2006

I don't think he wants to remove HTML, as such, just make it so that it is displayed as plaintext rather than as HTML. As has already been mentioned, htmlentities() will do this for you by converting certain characters into their HTML entities (&[htmlentity]; which can either be a number of predefined entity titles, or the ASCII value of the character) - however, it's not a 100% surefire way to prevent injection. I don't know exactly how IPB sanitizes posts, but it is quite an extensive process.

Anyway, that's going off topic; back to the original problem. You could try something like:

$post = htmlentities($post);$post = str_replace("\r\n","\n",$post);$post = preg_replace('#([\n]+)#e', 'strlen("$1")>1?"<p />\n":"<br />\n";', $post);

What that should do (it's untested and only theoretical) is replace all single instances of '\n' (new line character) with a '<br>' (line break), and all multiple instances with a '<p>' (paragraph). Strictly speaking, <p> tags should be closed, but it will result in the desired visual affect. Hope that helps.

iGuest · October 28, 2008

Disabling HTML

Php And Disabling Html Tags

What will be interesting is to make a php code which will pick the HTML from a bunch of codes

I know how to pick a string, like here

http://forums.xisto.com/no_longer_exists/

However, picking HTML from a bunch of text and disabling it is hard for me

Sign In

Php And Disabling Html Tags how can i do this?

Recommended Posts

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Create an account or sign in to comment

Create an account

Sign in

Important Information