I have a text area where a user can define a post. This field should allow BBCODE but not HTML.
Currently HTML is allowed but it should not be.
How can I disallow HTML tags to be posted by the user?
Share
Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I have a text area where a user can define a post. This field should allow BBCODE but not HTML.
Currently HTML is allowed but it should not be.
How can I disallow HTML tags to be posted by the user?
There are two main choices here. You can either escape the HTML, so it’s treated as plain text, or you can remove it. Either way is safe, but escaping is usually what users expect.
To escape, use
htmlspecialchars()[docs] on the input, before you process the bbcode.To remove the HTML tags entirely, use
strip_tags()[docs] instead: