PHPBuilder - Displaying Formatted User Input Page 3

RSS Twitter

Displaying Formatted User Input - Page 3

by: Ying Zhang
July 30, 2000

Some notes:

  • Remember to do string replacements after you call htmlspecialchars() and not before, otherwise all your hard work in turning your custom markups into HTML markups will be lost when you call htmlspecialchars().

  • Remember to search for the HTML entity and in your replacements, for example instead of looking for " (double quote) you would look for " since that is what it got translated to. See the manual for the other translations that occur.

  • The nl2br() function converts linebreaks into <br> tags, again make sure this is called after htmlspecialchars(), not before.

  • When converting [links=""] into <a href="">, you must be sure to prevent people from inserting javascript. A simple way to do that is to change [link="javascript into [link=" javascript, that way it won't match the pattern for links and it will just be displayed as is.


Load up the test.php script to see the format_output() in action. function in action. Start by entering this in the textbox:
Regular HTML markup is not available, instead we will use special markup:

- this is [b]bold[/b]
- this is [i]italics[/i]
- this is [link=""]a link[/link]
- this is [anchor="test"]an anchor, and a [link="#test"]link[/link] to the anchor

[p]This is a paragraph break
[pre]This is preformatted text[/pre]
[indent]This is indented text[/indent]
This concludes our demonstration.
Currently there are only a small number of markups available - you are free to add more as you see fit.


This article discussed the dangers of displaying unfiltered user input, and provided a solution for displaying formatted user input with custom markup tags. This can be applied anywhere you want to accept user input, for example:
  • guestbooks
  • user comments
  • system bulletins
  • etc.

« Previous Page

Comment and Contribute

Your comment has been submitted and is pending approval.

Ying Zhang



(Maximum characters: 1200). You have characters left.