Hi, Thanks for you comment. I already changed to <span>. About sanitation: Do you know any open source where it checks code if it is acceptable or not? Or should I just create a lib that do some preg_match to see if any javascript tag is inside (assuming javascript should not be allowed). This is a private system, so I do not worry so much :) /Peter -----Original Message----- From: Robert Cummings [mailto:robert@xxxxxxxxxxxxx] Sent: Wednesday, September 20, 2006 2:13 PM To: Peter Lauri Cc: 'PHP General' Subject: RE: preg_replace (again) [solved] On Wed, 2006-09-20 at 11:45 +0700, Peter Lauri wrote: > Just to share my solution: Out of curiosity, why don't you go with the very well known BBCode system? > preg_replace('/_color:(.*?)_(.*?)_color_/i', '<font color="$1">$2</font>', > $html); Hopefully this is a private system, otherwise someone not very nice might do the following: ---- This is some _color:pink"> <script type="text/javascript" language="javascript"> document.location = 'http://www.myDoityPr0nCollection.com'; </script><font color="pink_ colored text _color_ that I want to transfer ---- You need better content sanitization ]:B FWIW, the <font> tag is about as deprecated as deprecated can get. You might consider switching to <span>. Cheers, Rob. -- .------------------------------------------------------------. | InterJinn Application Framework - http://www.interjinn.com | :------------------------------------------------------------: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `------------------------------------------------------------' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php