Jatt
Reputation:
PHP: How can I disallow HTML content in user-generated content?
I run a niche social network site. I would like to disallow HTML content in user posted messages; such as embedded videos etc. what option is there in php to clean this up before I insert into the db.
Upvotes: 7
Views: 229
Answers (2)
DisgruntledGoat
Reputation: 72580
There are three basic solutions:
- Strip all HTML tags from the post. In PHP you can do this using the
strip_tags()function. - Encode all the characters, so that if a user types
<b>hello</b>it shows up as<b>hello</b>in the HTML, or<b>hello</b>on the page itself. In PHP this is thehtmlspecialchars()function. (Note: in this situation you would generally store the content in the database as-is, and use htmlspecialchars wherever you output the content.) - Use a HTML sanitizer such as HTML Purifier. This allows users to use certain HTML formatting such as bold/italic, but blocks malicious Javascript and any other tags you wish (i.e.
<object>in your case). You may or may not wish to do this before storing in the database, but you must always do it before output in either case.
Upvotes: 14
Related Questions
- how to stop user putting HTML code in text inputs
- Preventing XSS from within HTML elements
- Preventing XSS but still allowing some HTML in PHP
- Don't allow user to enter HTML tags in input
- HTML: how to stop a html code in a string written in PHP from appearing as a Html Element on the Web Page
- White list of HTML tags I should allow from user generated content?
- Display user created invalid HTML content without messing up the page
- Prevent html insertion in text php
- How can I disallow all HTML using markdown (PHP and JS)?
- PHP: Allow users to make posts with certain tags