#native_company# #native_desc#
#native_cta#

Displaying Formatted User Input Page 3

By Ying Zhang
on July 30, 2000

Some notes:

  • Remember to do string replacements after you call htmlspecialchars()
    and not before, otherwise all your hard work in turning your custom markups
    into HTML markups will be lost when you call htmlspecialchars().
  • Remember to search for the HTML entity and in your replacements, for example
    instead of looking for (double quote) you would look for "
    since that is what it got translated to. See
    the manual
    for the other translations that occur.
  • The nl2br() function converts linebreaks into <br> tags,
    again make sure this is called after htmlspecialchars(), not before.
  • When converting [links=””] into <a href=””>, you must
    be sure to prevent people from inserting javascript. A simple way to
    do that is to change [link=”javascript into [link=” javascript,
    that way it won’t match the pattern for links and it will just be displayed
    as is.

outputlib.php

Load up the test.php script to see the format_output() in action.
function in action. Start by entering this in the textbox:
Regular HTML markup is not available, instead we will use special markup:

- this is [b]bold[/b]
- this is [i]italics[/i]
- this is [link="http://www.phpbuilder.com"]a link[/link]
- this is [anchor="test"]an anchor, and a [link="#test"]link[/link] to the anchor

[p]This is a paragraph break
[pre]This is preformatted text[/pre]
[indent]This is indented text[/indent]
This concludes our demonstration.
Currently there are only a small number of markups available – you are free to add
more as you see fit.

Conclusion

This article discussed the dangers of displaying unfiltered user input,
and provided a solution for displaying formatted user input with custom
markup tags. This can be applied anywhere you want to accept user input,
for example:
  • guestbooks
  • user comments
  • system bulletins
  • etc.
Enjoy!
–Ying