Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 6 years ago.
Improve this question
I'm developing a Blog, and I want to give some Style to the content of Every post body.
I'm storaging each post with a form into my data base, and then retrieving it into the blog.
My form has Title, Date and Body.
What I need is to retrieve the body, and separate the paragraphs, quotes, and whatever I want to.
My idea was to add characters in the body like % or & (% mean paragraph, and & quote for example), so the I can use explote function.
Is there a simpler way?
You'd honestly be so much better to store your post's content as HTML and simply output that.
You'll have to implement security yourself but this could be as simple as using the strip_tags() function - example:
$post_body = strip_tags($_POST['body'], '<p><strong><em><span><a><blockquote>');
This would simply strip all HTML tags other than <p>, <strong>, <em>, <span>, <a> and <blockquote>. That should prevent any issues with malicious users inserting Javascript code etc.
Hope that helps!
Related
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 5 years ago.
Improve this question
I want to get all the visible text from a url. I need to clear all html code and get plain text.
The process does not have to be perfect, but I would like the text to be as clean as possible.
Do you know any way to make it relatively simple?
Thanks!
Javi.
Have a look at strip_tags function.
strip_tags — Strip HTML and PHP tags from a string
It may do the job.
You can get url the value of the query string using $_GET['the names in there']. and use strip_tags to get only the text.
function get_url(){ return $_GET['name userd'];}
and use something like this
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 6 years ago.
Improve this question
I have an input named comment. User writes his comment into it and sends it under a post. Something like StackOverflow's comments:
As you see, there is a <a> tag into new comment. And it will be stored in the database like this:
And when I fetch it again, it breaks the HTML of my website:
I mean everything after that <a> will be a link. I don't want that. How can I prevent that happening?
If you wish to store no tag, then use strip_tags and if you still wish to have mark-up then use something like Parsedown.
Example
$string = '<b>Hello,<> please remove the <> tags.</b>';
echo strip_tags($string);
Output
Hello, please remove the tags.
Update
What you are actually looking for is htmlspecialchars.
<?php
$str = 'Hello blah.';
echo htmlspecialchars($str, ENT_QUOTES);
?>
Output
Hello blah.
You can use what some plugins does on wordpress they change the < and > for [ and ].
To prevent code injection I recomend replacing only the following tags
<p></p><ul></ul><li></li><a></a>
This is done vía javascript in client side and sent to server vía ajax:
$("yourtag").replace(/</g, "[").replace(/>/g, "]").replace(/"/g, "'").replace(/ /g, "andnbsp");
If you are using php to retreive data from the DB, you need to use strreplace on the column where the html is stored, to change [] with <>, in this way your code will not be break
Keep in mind to only allow the tags you want as allowing all kinds of tags open the door to an out security, this is donde on server side languaje.
Hope this is helpful...
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
I am working on a form completion view that needs to be easily copied. One of the inputs is a that displays multiple lines. So person can type out something that looks like this.
Dear Bob,
I am here to do this.
Thank you
SirRahal
I then take that data and store it into a database as varchar(1500) latin1_swedish_ci. The issue is that when I try to display this data in anything other than a it combines all the lines into 1. Example the not above would display like this:
Blockquote
Dear Bob, I am here to do this. Thank you SirRahal
The reason why I can't use a textarea to display it is because it doesn't copy and paste friendly.
Questions:
1) Is there another way of displaying this correctly?
2) Are there hidden characters in the string that I can use to identify in php and parse the text?
This code does work but I can't use a textarea:
<textarea>
<?php echo $model->description;?>
</textarea>
I believe you need to add nl2br when you output, e.g.
<?php echo nl2br($model->description);?>
Use CSS, and set white-space: pre on the container of the text.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
I have a form with a text field a user can edit, which will create a page on the website containing the text entered. How can I ensure the resulting page doesn't show anything malicious, no links, images or code, just raw text? Currently from php I'm using htmlspecialchars(), and when displaying the text on the page it's within xmp tags. Is that enough, or should I explicitly do things like validating against script tags etc?
edit: This question is different to the suggested question, because I'm not using sql.
edit 2: I accepted strip_tags. I'm now validating user input from php with htmlspecialchars(strip_tags("input")), and wrapping in xmp tags when displayed.
You can use strip_tags - it will remove everything in tags. http://php.net/manual/en/function.strip-tags.php
First of all: use prepared statments for your database storing, updating etc etc...
Second: You should escape the output using htmlspecialchars() function, It will just convert special characters to HTML entities, so if you put a script tag in there, It will not run.
Unless you want your users to post code just like here in StackOverflow, you can just use strip_tags() function as #user2182349 pointed out.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 8 years ago.
Improve this question
The title says it all.
Should I include htmlspecialchars(); function inside <a> tag?
Thanks
htmlspecialchars is a function to escape certain characters which have a special meaning in HTML. For example, if you wanted to embed a value which contains quotes inside an HTML attribute:
<a title="Simon says "Hello World"">
This obviously breaks the HTML syntax. You need to apply the escaping function to the value Simon says "Hello World" to arrive at:
<a title="Simon says "Hello World"">
This is now correct HTML syntax.
The same goes for values containing < or > in regular text, because those can obviously be interpreted as HTML tags. Read The Great Escapism (Or: What You Need To Know To Work With Text Within Text) for more on the topic.
You need to do this the same way for all HTML tags and values.
printf('%s',
htmlspecialchars($url),
htmlspecialchars($title),
htmlspecialchars($content));
URLs have their own escaping rules, you may have to URL encode values you put into a URL before you put it into HTML:
$url = sprintf('/foo/%s', urlencode($bar));
printf('...', htmlspecialchars($url));