On 21 May 2010 14:21, Ashley Sheridan <ash@xxxxxxxxxxxxxxxxxxxx> wrote: > I still think you might be better off using BBCode, which is used on > websites just for this very purpose. When any input comes back, you can > remove all the HTML completely and replace the BBCode tags that you > allow. This should guarantee that the only HTML in the text is what you > put there. That way, the only chance someone has to enter malicious code > is to manipulate your replacement algorithm. We don't know what the use case is. It's likely that HTML is a fixed requirement here. In any case, stripping the HTML from a post and leaving just the BBCode is almost as difficult as stripping out all tags except <p>. There are so many text encodings and weird quirks out there that I wouldn't trust any code I'd written myself to do it. HTMLPurifier is widely adopted and tested, and actively maintained. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
