Home » Php » PHP: How can I disallow HTML content in user-generated content?

PHP: How can I disallow HTML content in user-generated content?

Posted by: admin July 12, 2020 Leave a comment

Questions:

I run a niche social network site. I would like to disallow HTML content in user posted messages; such as embedded videos etc. what option is there in php to clean this up before I insert into the db.

How to&Answers:

There are three basic solutions:

  1. Strip all HTML tags from the post. In PHP you can do this using the strip_tags() function.
  2. Encode all the characters, so that if a user types <b>hello</b> it shows up as <b>hello</b>. In PHP this is the htmlspecialchars() function. (Note: in this situation you would generally store the content in the database as-is, and use htmlspecialchars wherever you output the content.)
  3. Use a HTML sanitizer such as HTML Purifier. This allows users to use certain HTML formatting such as bold/italic, but blocks malicious Javascript and any other tags you wish (i.e. <object> in your case).

Answer:

You could use the strip_tags() function.