PHP validate textarea input to send in an email

Question

I am trying to create a PHP page for users to send emails to other users in HTML. On my page (email.php) there is a textarea for user to input their message.

Since I send the email from my server I don't want the user to write malicious code/message content (html, links, php, bad words etc) that will result in my servers email IP getting banned as spam.

I know I can validate by using functions like str_replace() htmlentities() strip_tags() etc

How can I stop the user from entering tags, links etc in textarea so the email is clean when sent. Is there some function to just filter the whole message string if it matches an email body format or a way to convert the message string to just clear text so any malicious links/tags will just show to the user as a href='/link'>malicious link not 'malicous link' and instead of html tags running they just show as the tag itself?

Like gumtree for instance when you send email you get form with textarea for message

thanks for any suggestions

Answer 1

I'd recommend a third-party library like HTML Purifier that uses a white-list approach.

Answer 2

Could you clarify a bit?

From what you've described, strip_tags() then htmlentities() seems sufficient, unless I misunderstand what you are asking. Both functions are not for validation, but filtering.

strip_tags() removes PHP and HTML tags, and htmlentities() will ensure applicable characters are converted to their HTML entity equivalents.

Answer 3

You cannot stop users to insert html tags, not even with javascript. Since almost all browsers have development tools and any html element from any website can be altered after the page is loaded.

You can develop an javascript validation just for eye view, but php validation is a MUST since you cannot limit an user.

Even headers can be modified ... so you need those php filters, as you mentioned above.