Welcome Guest, Not a member yet? Register   Sign In
Disallowing HTML input from textareas - how to do?
#1

[eluser]Jay Turley[/eluser]
My goal is to keep users from inputting HTML in a textarea.

I know codeigniter has the Text Helper, which has the word_censor() function. Clearly I could do the following:

Code:
$disallowed = array('<strong>', '</strong>'); // repeat with all desired HTML elements
$string = word_censor($string, $disallowed, '');

However, first of all, that only works for the exact matches, so anchors are going to be a problem. And it's very brittle anyway.

I figure I'm not the first person to run into this, and I'm hoping someone out there in the community has a nice solution for this.

Thanks!
#2

[eluser]Colin Williams[/eluser]
PHP has a nifty strip_tags() function. You tell it which tags not to strip. If you want to generate an error, you could probably check the string length of stripped vs non-stripped input, but there might be more efficient ways to do this check

Code:
if (strlen($input) !== strlen(strip_tags($input))
{
   echo 'Error: HTML code found in input';
}

See:
http://us3.php.net/strlen http://us3.php.net/strip_tags
#3

[eluser]Jay Turley[/eluser]
Colin-

That is *exactly* what I was looking for. Chalk this one up to my inexperience with the full set of PHP functions. Thanks tons, mate!

-Jay
#4

[eluser]Dam1an[/eluser]
You can be expected to know all the PHP functions, there is after all ~3500 of them lol
But this is definatly one worth remembering Smile
#5

[eluser]skunkbad[/eluser]
I'm new to CI, so I'm certainly no expert, but on my website I use both javascript and php to search for the presence of > or < characters in all form fields, and disable the submit button (javascript), or send the user back to the form with an error message. Other sub-strings are searched for to determine if a link is trying to be made. The javascript is quite simple, and you might go to my site and view the javascript for an example. I use a callback function during regular CI form validation to look for the special symbols or words I want to ban.

Code:
public function _validateEmail($email) {
        # Check email syntax with regex
        $emailClean = 1;
        if (preg_match('/^([a-zA-Z0-9\._\+-]+)\@((\[?)[a-zA-Z0-9\-\.]+\.([a-zA-Z]{2,7}|[0-9]{1,3})(\]?))$/', $email, $matches)) {
            $user = $matches[1];
            $domain = $matches[2];
            # Check availability of DNS MX records
            if (function_exists('getmxrr')) {
                # Construct array of available mailservers
                if(getmxrr($domain, $mxhosts, $mxweight)) {
                    for($i=0;$i<count($mxhosts);$i++){
                        $mxs[$mxhosts[$i]] = $mxweight[$i];
                    }
                    asort($mxs);
                    $mailers = array_keys($mxs);
                } elseif(checkdnsrr($domain, 'A')) {
                    $mailers[0] = gethostbyname($domain);
                } else {
                    $mailers=array();
                }
                $total = count($mailers);
                if($total <= 0) {
                    $emailClean = 0;
                }
            }else{
                //debug only for localhost (wampserver)
                $emailClean = 0;
            }
        } else {
            $emailClean = 0;
        }
        if($emailClean == 0){
            $this->form_validation->set_message('_validateEmail', 'Supplied %s was rejected, and has been deleted.');
            return FALSE;
        }else{
            return $email;
        }
    }

    public function _cleanField($string) {
        $stringClean = 1;
        $badWord = array(
            'cytoreticulum',
            'viagra',
            'ringtones',
            'http:',
            'href=',
            '[url]'
        );
        foreach ($badWord as $unwanted){
            $testedString = strpos($string,$unwanted);
            if ($testedString !== FALSE){
                $stringClean = 0;
            }
        }
        // The following checks and makes sure that each field has no Russian, Hebrew, Chinese, or odd characters of any kind that aren't on MY keyboard
        if($stringClean == 1){
            if (preg_match('/[^-\s [email protected]#$%^&*()_+=;:\'",.?|}{[\]\/\\\\]/i', $string)) {
                $stringClean = 0;
            }
        }
        if($stringClean == 0){
            $this->form_validation->set_message('_cleanField', 'The %s field contains links, words, foreign characters, or other data that was rejected, and has been deleted.');
            return FALSE;
        }else{
            return $string;
        }
    }




Theme © iAndrew 2016 - Forum software by © MyBB