user supplied forum text and htmlentities

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I have a forum where all user-supplied text
(posted to the forum) is cleaned with htmlentities($msg) before sending

it back to incoming GET requests.

I want to allow image uploads to registered users.
That much (allowing uploads if registered) is straightforward.

But if all my user-supplied output  is scrubbed with htmlentities
first, then the img tags aren't tags, and no image will show.

How do forums (that do allow image uploads) deal with this?
Do they leave user-supplied text unchecked? Or use some
sort of a regular expression to scrub everything inside
user-supplied text except the image tags?

Re: user supplied forum text and htmlentities

pittendrigh wrote:
Quoted text here. Click to load it

They usually allow a very restrictive set of HTML, indeed enforced by reglar
You could use strip_tags(), but I normally want to allow/forbid attributes
as well, then a regular expression wil have to do the work.

Rik Wasmus

Site Timeline