Posted by pittendrigh on 07/31/06 15:11

I have a home-rolled forum, written in php, based
on some old cgi code written by a guy named David Turely.
Works just fine.

However, when reading user-supplied input I use 'addslashes'
to clean the possibly tainted data.

On subsequent displays the user-supplied data comes
off the file system, so I do a stripslashes and then
an addslashes (prevents single quotes from multiplying
in quoted parts of the threads).

However, this does put one annoying slash before single
quote in the text, that looks ugly in the output.

If I use htmlentities on the data instead of addslashes,
everythink looks fine, except for incoming newlines,
which don't translate into real <br/> tags,
so the text all runs together as one long sentance.

If anybody understands what I'm gibbering about,
maybe they also have a solution:

How do I scrub user-supplied input so it is safe to
display, and so single quotes are not visually escaped,
and so real <br/> tags appear at the end of each line?

Seems to me like regular expressions allowing real html
for <br/> tags *only* has to be part of the deal. But I
don't know how to handle the ugly, visually escaped
single quotes.

[Back to original message]