Evert|Rooftop wrote:
If you for example only allow <i><u> and <b> doing this with bbcode would require extra cpu-cycles to convert [i] to <i> I don't really agree with this, because I think escaping the html + replacing bbcode would require less cpu cycles then scanning the string for invalid html and escaping them. Maybe someone has the time to benchmark this?
Performance aside, that's a dangerous way of allowing a restricted set of HTML. You want to escape the entire string. The only difference is that you can convert some HTML entities back to their original form if you want to allow them to be interpreted.
In other words, these approaches are almost identical, which is why BBCode has very little value.
Chris -- Chris Shiflett Brain Bulb, The PHP Consultancy http://brainbulb.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
