Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Posted on
- user supplied forum text and htmlentities
July 19, 2006, 2:19 pm
rate this thread
(posted to the forum) is cleaned with htmlentities($msg) before sending
it back to incoming GET requests.
I want to allow image uploads to registered users.
That much (allowing uploads if registered) is straightforward.
But if all my user-supplied output is scrubbed with htmlentities
first, then the img tags aren't tags, and no image will show.
How do forums (that do allow image uploads) deal with this?
Do they leave user-supplied text unchecked? Or use some
sort of a regular expression to scrub everything inside
user-supplied text except the image tags?
Re: user supplied forum text and htmlentities
They usually allow a very restrictive set of HTML, indeed enforced by reglar
You could use strip_tags(), but I normally want to allow/forbid attributes
as well, then a regular expression wil have to do the work.