I am trying to display comments on a page and am having some trouble.
There are essentially two different types of comments I am trying to handle:
(1) The XSS type.. e.g. <script type="text/javascript">alert('hi')</script>. This is handled fairly easily by escaping it before it gets into the database and then running stripslashes and htmlentities on it.
(2) The comment with <br> breaks in it. When the data is stored into the database, I am running nl2br on it so the data looks like hi<br>hello<br><br>etc. However, when I display this comment, the <br>s do not turn into page breaks like I want them to.
Any idea what to do? I should note that turning off htmlentities fixes the second type, but the first type then is executed as pure html and displays an alert dialog.
Thanks,
Phil
If you want to remove unwanted tags you can try strip_tags. It supports allowable_tags so you can specify any tags that you don't want to be stripped. A sample from the manual:
// Allow <p> and <a>
// you can add <br> if you want it not stripped
echo strip_tags($text, '<p><a>');
So after you've converted all \n to be line breaks you dont have to worry about it being stripped. May not be what you want but hope it gives an idea.
One method: Replace <br> with a placeholder, like \n. Then do htmlentities to clean up html code. Finally, replace \n back with <br> to recover the line breaks.
Related
Any ideas why formatted text from DB, when echo-ed out in php loses its formatting, i.e. no new lines? Thanks!
Use nl2br().
New lines are ignored by browser. That's why you see all text without line breaks. nl2br() converts new lines to <br /> tags that are displayed as new lines in browsers.
If you want to display your text in <textarea>, you don't need to convert all new lines to <br />. Anyway, if you do it... you will see "<br />"s as text in new lines places.
Because there are no html tags for formatting!
Try the nl2br function.
You could try add nl2br() function...
something like this: echo nl2br($your_text_variable);
It should work ;-)
The reason
This is the default behavior for all user agents. If you look at the page source, you'll see that your text has the same formatting like the one in the database (or textarea).
The reason of your confusion is probably that you once see the text in the <textarea> tag, which displays preformatted text, does not interpret the tags, and in the other case the text is interpreted (whitespace is not important in this case).
The browsers don't display new lines, unless specifically asked for - using <br> tag or any block level tags.
No tags == no new lines.
The fix
If you store preformatted text in the database,
you should wrap the output in the <pre> tag.
You may want to convert the formatting characters to the HTML tags you need using set of functions like nl2br, str_replace etc.
You may also correct your structure to store the HTML in the database instead of just plain text (however markup looks like a better solution).
See similar question:
How do I keep whitespace formatting using PHP/HTML?
The difference between the two images you show is that one has the text in a <textarea></textarea> and the other does not ... if you want 1:1: <textarea><?php echo $yourVariable;?></textarea>
It does output what you say to output. If the text is pre-formatted, put it inside the HTML <pre></pre> tag in your output script.
This should be helpful in answering.
How do I keep whitespace formatting using PHP/HTML?enter link description here
Set up a string preprocessing code for both input to database and output to display page
I have integraded a textarea box with ckeditor and each time I press enter on the backend side for a new line it outputs <br> on the front end, is there a way to remove <br> on the front end as I don't want the html tag output on the front end
I line of code looks like the following
echo "<strong>Sites Linked Out To</strong>: " . $row->sites_linked_out_to;
is there a way to remove the html <br> tag before it gets added to the database or after?
Thank you in advance
php strip tags function write in tags secondary parameter, keeping tags, other html tags clean
strip_tags($input, '<a><img><div><strong>');
more information for strip tags function http://php.net/manual/tr/function.strip-tags.php
You could call nl2br() when you insert the content.
This will replace any <br> with a new line \n
Note though; If you are actually seeing the tag its probably being url encoded somewhere. If you call nl2br() before this encoding takes place it should work.
You could also strip other undesired tags using strip_tags. Do this after replacing the new line.
define('ALLOWED_TAGS', '<p>,<strong>,<ul>,<li>,<ol>,<em>');
$sContent = strip_tags( nl2br($sContent), ALLOWED_TAGS);
Note though, this wont strip out <a href='#' onclick='DO_SOMETHING_BAD'>click me</a>
You could look at using a library such as html purifier to sanitise input. Or just ensure you sanitise all output correctly.
See nl2br() and strip_tags for more info.
I know I am late but this may help someone..
Use
htmlspecialchars_decode($your_string);
<form action="class.php" method="POST">
thread link:
<br>
<input type="text" name="thread">
<input type="submit" value="Submit">
</form>
I have this simple form. Upon entering a string starting with many spaces, something like
" test"
my PHP code
echo 'test:'.$_POST['thread'];
will print test: test. It will erase all spaces except one.
Where did all the spaces go and why does this happen?
Specification of HTMLs tells, renderer removes multiple spaces. That is useful in some cases. To avoid that, you can place content of this field in <pre></pre> block. Like that:
echo '<pre>test:'.$_POST['thread'].'</pre>';
The form does not delete spaces. Neither does your PHP code. The spaces are still there in resulting HTML document (generated by your PHP code in response to form submission). They just get rendered as a single space, since in most contexts, any sequence of whitespace characters in HTML content is equivalent to a single space. This is defined in CSS 2.1 spec, in the description of the white-space property.
Thus, to prevent the collapse of spaces, the simple way is to set white-space: pre in CSS. It also prevents line breaks in the content, but this is probably not a problem here. Using the pre element in HTML causes this setting, but it also sets font family to monospace.
So this is just a matter of HTML and CSS, independently of PHP. Example:
<p> Hello world!</p>
<p style="white-space: pre"> Hello world!</p>
You need to convert whitespaces to html entities
$thread = str_replace(' ', ' ', $_POST['thread'])
and now echo 'test:'.$thread will output your text with whitespaces.
This is the most basic thing about HTML. Any whitespace is equivalent and is treated as a single space.
You should never use multiple spaces to try to layout your text in HTML ( like you could do in Word for instance ). You should use css styles like margin or padding instead.
The answers that propose to replace the spaces with & nbsp; are correct, but they leave you on the wrong track.
I'm doing a web builder and I'm having a bit of trouble.
I want to have a textarea that you can enter text that you want to your TEXT element. This element I disabled the HTML when it´s later off previewed by simply putting a .innerText before posting preview. Though, I might just need the <br> tag.
I can use PHP or JS. Any ideas?
Use nl2br(htmlspecialchars($str)) when displaying the text. Note that the order of the function calls matters - first you escape all HTML in the string and then you convert linebreaks to HTML linebreaks.
When you are typing in a textarea, and the return key is pressed,
What actually goes on behind the scenes is this
Hi, \n There
which produces the following in the textarea.
Hi
There
Hence, what you would need to do is essentially change the \n (newline) to break tags.
http://php.net/manual/en/function.nl2br.php
Just use a plain textarea, afterword use a function like nl2br when you display it in your html page
nl2br(htmlspecialchars($string))
changes the line breaks to <br /> tags, so you can display them in html as seen in the textarea.
Any ideas why formatted text from DB, when echo-ed out in php loses its formatting, i.e. no new lines? Thanks!
Use nl2br().
New lines are ignored by browser. That's why you see all text without line breaks. nl2br() converts new lines to <br /> tags that are displayed as new lines in browsers.
If you want to display your text in <textarea>, you don't need to convert all new lines to <br />. Anyway, if you do it... you will see "<br />"s as text in new lines places.
Because there are no html tags for formatting!
Try the nl2br function.
You could try add nl2br() function...
something like this: echo nl2br($your_text_variable);
It should work ;-)
The reason
This is the default behavior for all user agents. If you look at the page source, you'll see that your text has the same formatting like the one in the database (or textarea).
The reason of your confusion is probably that you once see the text in the <textarea> tag, which displays preformatted text, does not interpret the tags, and in the other case the text is interpreted (whitespace is not important in this case).
The browsers don't display new lines, unless specifically asked for - using <br> tag or any block level tags.
No tags == no new lines.
The fix
If you store preformatted text in the database,
you should wrap the output in the <pre> tag.
You may want to convert the formatting characters to the HTML tags you need using set of functions like nl2br, str_replace etc.
You may also correct your structure to store the HTML in the database instead of just plain text (however markup looks like a better solution).
See similar question:
How do I keep whitespace formatting using PHP/HTML?
The difference between the two images you show is that one has the text in a <textarea></textarea> and the other does not ... if you want 1:1: <textarea><?php echo $yourVariable;?></textarea>
It does output what you say to output. If the text is pre-formatted, put it inside the HTML <pre></pre> tag in your output script.
This should be helpful in answering.
How do I keep whitespace formatting using PHP/HTML?enter link description here
Set up a string preprocessing code for both input to database and output to display page