Here’s my problem:
I have a textarea where the user can enter whatever he wants.
When he sends this text (POST method), on the server side I don’t filter it at all before writing it into the database (because I want to keep “intact” what the user entered (maybe it can be used as a proof he tried to hack or whatever)).
Then, before outputting it, I use this function:
public function textForWeb($texte,$br=true)
{
if ($br) {
return
mb_ereg_replace("((\r)?\n)", "<br />",
htmlentities(
stripslashes($texte),
ENT_QUOTES, 'UTF-8'
)
);
}
else {
return
htmlentities(
stripslashes($texte),
ENT_QUOTES, 'UTF-8'
);
}
}
So the text is properly filtered and stays UTF-8 encoded.
But the problem is that I’d like all these text: <a href="http://url">xxx</a> to be untouched. I.e. when I will display it, the link (and only links with “http://” and no javascript inside) will be “clickable”.
For example, you can see how it is displayed now here. See last line of the announce? I’d like the link to the website to be “clickable”.
How would you do?
Just add a preg_replace() function to revert the escaped a tags after your htmlentities() function
That way you can still escape all other HTML in a safe way (instead of using strip_tags() function.)
This preg_replace() function searches for a tags linking to pages starting with http:// or https:// and then replaces the escaped special characters with <, > and “, making the link clickable again.