Displaying users' comments?

Discussion in 'HTML' started by Leif K-Brooks, Nov 23, 2003.

  1. I just wrote a simple blog for myself (http://tw.ecritters.biz/), and I
    want to add a comment feature. I can't let users use HTML in the posts,
    because they could do all sorts of nasty things (their own CSS,
    nonstandard HTML, ECMAScript, etc.), so how should I format them? Put
    them a <p> element and turn new lines to <br>s? Put it in a <pre> even
    though they won't wrap? Turn two or more new liens into </p><p> and
    single new lines into <br>s? Something else?
    Leif K-Brooks, Nov 23, 2003
    #1
    1. Advertising

  2. "Leif K-Brooks" <> wrote in message
    news:m7Wvb.1499$...
    > I just wrote a simple blog for myself (http://tw.ecritters.biz/), and I
    > want to add a comment feature. I can't let users use HTML in the posts,


    Most web-masters find it easiest to HTML-encode the user;s postings.
    If you're really enhousiastic, you can parse the posted messages yourself
    and "decode" thinks like images and links.
    Woolly Mittens, Nov 23, 2003
    #2
    1. Advertising

  3. Leif K-Brooks wrote:

    > I just wrote a simple blog for myself (http://tw.ecritters.biz/), and I
    > want to add a comment feature. I can't let users use HTML in the posts,
    > because they could do all sorts of nasty things (their own CSS,
    > nonstandard HTML, ECMAScript, etc.), so how should I format them?


    I'd be tempted to do something along the lines of:

    $usercomment =~ s#\&#&amp;#g; # escape &
    $usercomment =~ s#\<#&lt;#g; # escape <
    $usercomment =~ s#\>#&gt;#g; # escape >
    $usercomment =~ s#\n\n#</p>\n<p>#g; # add paragraph breaks
    $usercomment = "<p>$usercomment</p>\n\n\n"; # wrap it all up

    This is in Perl. I see you're using PHP, so look into preg_replace instead
    of my "=~ s#X#Y#g;" things.

    --
    Toby A Inkster BSc (Hons) ARCS
    Contact Me - http://www.goddamn.co.uk/tobyink/?page=132
    Toby A Inkster, Nov 23, 2003
    #3
  4. Toby A Inkster wrote:

    > I'd be tempted to do something along the lines of:
    >
    > $usercomment =~ s#\&#&amp;#g; # escape &
    > $usercomment =~ s#\<#&lt;#g; # escape <
    > $usercomment =~ s#\>#&gt;#g; # escape >
    > $usercomment =~ s#\n\n#</p>\n<p>#g; # add paragraph breaks
    > $usercomment = "<p>$usercomment</p>\n\n\n"; # wrap it all up


    Sounds about right, maybe with <br> for single line breaks too.

    Do Perl people really use regular expressions for all replacment? Isn't
    that inefficient?
    Leif K-Brooks, Nov 23, 2003
    #4
  5. Leif K-Brooks wrote:

    > Do Perl people really use regular expressions for all replacment?


    I do, but that's just me being lazy. You could do stuff with index(),
    substr(), etc, but why bother?

    > Isn't that inefficient?


    Perl has a highly optimised regular expression engine. I tend to let the
    Perl interpreter guys to the optimisation so I don't have to.

    --
    Toby A Inkster BSc (Hons) ARCS
    Contact Me - http://www.goddamn.co.uk/tobyink/?page=132
    Toby A Inkster, Nov 23, 2003
    #5
  6. Leif K-Brooks

    Safalra Guest

    Toby A Inkster <> wrote in message news:<>...
    > Leif K-Brooks wrote:
    > > I just wrote a simple blog for myself (http://tw.ecritters.biz/), and I
    > > want to add a comment feature. I can't let users use HTML in the posts,
    > > because they could do all sorts of nasty things (their own CSS,
    > > nonstandard HTML, ECMAScript, etc.), so how should I format them?

    >
    > [snip Perl code escaping special characters]
    > This is in Perl. I see you're using PHP, so look into preg_replace instead
    > of my "=~ s#X#Y#g;" things.


    The function htmlspecialchars() will perform all the escapes in one go:

    http://www.php.net/manual/en/function.htmlspecialchars.php

    --- Stephen Morley ---
    http://www.safalra.com
    Safalra, Nov 23, 2003
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Sara rafiee
    Replies:
    3
    Views:
    1,051
    Scott Allen
    Oct 4, 2004
  2. Sunil Miriyala
    Replies:
    0
    Views:
    757
    Sunil Miriyala
    Mar 1, 2004
  3. Replies:
    0
    Views:
    1,104
  4. Monk
    Replies:
    10
    Views:
    1,448
    Michael Wojcik
    Apr 20, 2005
  5. Replies:
    4
    Views:
    590
    Dr John Stockton
    Jun 3, 2006
Loading...

Share This Page