cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Exit
search
  • Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
  • 한국 커뮤니티
0
Upvote

Disallowing HTML in textarea / comment form

Dev_Guy07
New Here ,
Oct 11, 2008 Oct 11, 2008
Hi,
I'm working on a simple blog using DW, PHP & MySQL, the comment form contains a textarea box where visitors can simply post their comments, the problem is what ever code you type in gets saved into the database as it is, and I someone posts a META Refresh tag for example, they can redirect the page to somewhere else.

How can i prevent that from happening and id there anyway to save the & call the html code as plain text?

Thanks in advance.
TOPICS
Server side applications
454
Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
replies 5 Replies 5
latest latest Jump to latest reply
Newsgroup_User
LEGEND ,
Oct 11, 2008 Oct 11, 2008
Dev_Guy07 wrote:
> How can i prevent that from happening and id there anyway to save the & call
> the html code as plain text?

Use either strip_tags() or htmlentities():

http://docs.php.net/manual/en/function.strip-tags.php
http://docs.php.net/manual/en/function.htmlentities.php

--
David Powers, Adobe Community Expert
Author, "The Essential Guide to Dreamweaver CS3" (friends of ED)
Author, "PHP Solutions" (friends of ED)
http://foundationphp.com/
Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Newsgroup_User
LEGEND ,
Oct 11, 2008 Oct 11, 2008
On Sat, 11 Oct 2008 16:19:02 +0100, David Powers <david@example.com>
wrote:

>Use either strip_tags() or htmlentities():
>
> http://docs.php.net/manual/en/function.strip-tags.php
> http://docs.php.net/manual/en/function.htmlentities.php

Or compare the results of the strip_tag() function with what was
posted and generate an error if they don't match.

Gary
Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Dev_Guy07
New Here ,
Oct 11, 2008 Oct 11, 2008
Thanks alot, managed to fix it.

Thanks again.
Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Newsgroup_User
LEGEND ,
Oct 13, 2008 Oct 13, 2008
.oO(Gary White)

>On Sat, 11 Oct 2008 16:19:02 +0100, David Powers <david@example.com>
>wrote:
>
>>Use either strip_tags() or htmlentities():
>>
>> http://docs.php.net/manual/en/function.strip-tags.php
>> http://docs.php.net/manual/en/function.htmlentities.php
>
>Or compare the results of the strip_tag() function with what was
>posted and generate an error if they don't match.

But maybe sometimes you want to allow HTML as part of the message (for
example to give code examples). I would simply call htmlspecialchars()
on the output, that's enough.

Micha
Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Newsgroup_User
LEGEND ,
Oct 13, 2008 Oct 13, 2008
LATEST
On Mon, 13 Oct 2008 20:35:23 +0200, Michael Fesser <netizen@gmx.de>
wrote:

>But maybe sometimes you want to allow HTML as part of the message (for
>example to give code examples). I would simply call htmlspecialchars()
>on the output, that's enough.

That's possible. It would depend on the circumstances and what the
form were used for. I only mentioned it as an alternative.

Gary
Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Copyright © 2025 Adobe. All rights reserved.
Using the Community Experience League Terms of Use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices