|
|
Posted by Rik on 07/19/06 14:54
pittendrigh wrote:
> I have a forum where all user-supplied text
> (posted to the forum) is cleaned with htmlentities($msg) before
> sending
>
> it back to incoming GET requests.
>
> I want to allow image uploads to registered users.
> That much (allowing uploads if registered) is straightforward.
>
> But if all my user-supplied output is scrubbed with htmlentities
> first, then the img tags aren't tags, and no image will show.
>
> How do forums (that do allow image uploads) deal with this?
> Do they leave user-supplied text unchecked? Or use some
> sort of a regular expression to scrub everything inside
> user-supplied text except the image tags?
They usually allow a very restrictive set of HTML, indeed enforced by reglar
expressions.
You could use strip_tags(), but I normally want to allow/forbid attributes
as well, then a regular expression wil have to do the work.
Grtz,
--
Rik Wasmus
[Back to original message]
|