Remember to do string replacements after you call htmlspecialchars()
and not before, otherwise all your hard work in turning your custom markups
into HTML markups will be lost when you call htmlspecialchars().
Remember to search for the HTML entity and in your replacements, for example
instead of looking for " (double quote) you would look for "
since that is what it got translated to. See
for the other translations that occur.
The nl2br() function converts linebreaks into <br> tags,
again make sure this is called after htmlspecialchars(), not before.
When converting [links=""] into <a href="">, you must
that way it won't match the pattern for links and it will just be displayed
Load up the test.php script to see the format_output() in action.
function in action. Start by entering this in the textbox:
Regular HTML markup is not available, instead we will use special markup:
- this is [b]bold[/b]
- this is [i]italics[/i]
- this is [link="http://www.phpbuilder.com"]a link[/link]
- this is [anchor="test"]an anchor, and a [link="#test"]link[/link] to the anchor
[p]This is a paragraph break
[pre]This is preformatted text[/pre]
[indent]This is indented text[/indent]
This concludes our demonstration.
Currently there are only a small number of markups available - you are free to add
more as you see fit.
This article discussed the dangers of displaying unfiltered user input,
and provided a solution for displaying formatted user input with custom
markup tags. This can be applied anywhere you want to accept user input,