In order to make my inputs safe, I'm using htmlentities in php:
$input = $_POST['field'];
$result = htmlspecialchars($input);
This works, but then I realized that in some inputs, I need to allow some basic markup like <b>
and <i>
, copyright logos and basic stuff for the user. So I started doing this:
$result = $_POST['ftext'];
$presanitize = htmlspecialchars($result);
$newftext = str_replace(array("<i>", "<b>", "</i>", "</b>", "©", """, "<a>", "</a>"),
array("<i>", "<b>", "</i>", "</b>", "©", '"', "<a>", "</a>"), $presanitize);
Now we come to my main problem: how to allow things like <a>
and <img>
where we don't have only a tag and don't know what comes inside of it?
I can replace , because it's always only , but if I replace , it wont work as I'll have lots of stuff (<a href="http://link.com">Text</a>
) inside of it.
What should I do? Thanks in advance.