On 7/8/05, Jason Barnett <jason.barnett@xxxxxxxxxxxxx> wrote: > The typical way that forums handle this is to use what is called > "BBCode". In short, you have a non-HTML way for users to supply > information that will produce markup instead of just plain text. So if > you want to allow italics, bolds, URL's, etc. then you have some codes > for it like: > > [i]This text will be in italics.[/i] > [b]This text will be in bold.[/b] > [url=http://php.net]This will be a URL that points to php.net.[/url] While I do not disagree with the information content of your post, I do think this sort of thing is pretty silly. If you're gonna allow the <i> tag then just allow it. There's no point in allowing something else just to spend CPU cycles converting it to what you could have allowed in the first place. It doesn't make it more safe that way. Just clean out the stuff you don't want and be done with it. define( 'ALLOWED_TAGS', '<a><b><blockquote><br><cite><dd><div><dl><dt><ecode><em><i><li><ol><p><strong><tt><ul>' ); $string = strip_tags( $string, ALLOWED_TAGS ); Cleaning an <a> tag can be accomplished just as easily as cleaning a [url] tag. -- Greg Donald Zend Certified Engineer MySQL Core Certification http://destiney.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php