Displaying users' comments?

L

Leif K-Brooks

I just wrote a simple blog for myself (http://tw.ecritters.biz/), and I
want to add a comment feature. I can't let users use HTML in the posts,
because they could do all sorts of nasty things (their own CSS,
nonstandard HTML, ECMAScript, etc.), so how should I format them? Put
them a <p> element and turn new lines to <br>s? Put it in a <pre> even
though they won't wrap? Turn two or more new liens into </p><p> and
single new lines into <br>s? Something else?
 
W

Woolly Mittens

Leif K-Brooks said:
I just wrote a simple blog for myself (http://tw.ecritters.biz/), and I
want to add a comment feature. I can't let users use HTML in the posts,

Most web-masters find it easiest to HTML-encode the user;s postings.
If you're really enhousiastic, you can parse the posted messages yourself
and "decode" thinks like images and links.
 
T

Toby A Inkster

Leif said:
I just wrote a simple blog for myself (http://tw.ecritters.biz/), and I
want to add a comment feature. I can't let users use HTML in the posts,
because they could do all sorts of nasty things (their own CSS,
nonstandard HTML, ECMAScript, etc.), so how should I format them?

I'd be tempted to do something along the lines of:

$usercomment =~ s#\&#&amp;#g; # escape &
$usercomment =~ s#\<#&lt;#g; # escape <
$usercomment =~ s#\>#&gt;#g; # escape >
$usercomment =~ s#\n\n#</p>\n<p>#g; # add paragraph breaks
$usercomment = "<p>$usercomment</p>\n\n\n"; # wrap it all up

This is in Perl. I see you're using PHP, so look into preg_replace instead
of my "=~ s#X#Y#g;" things.
 
L

Leif K-Brooks

Toby said:
I'd be tempted to do something along the lines of:

$usercomment =~ s#\&#&amp;#g; # escape &
$usercomment =~ s#\<#&lt;#g; # escape <
$usercomment =~ s#\>#&gt;#g; # escape >
$usercomment =~ s#\n\n#</p>\n<p>#g; # add paragraph breaks
$usercomment = "<p>$usercomment</p>\n\n\n"; # wrap it all up

Sounds about right, maybe with <br> for single line breaks too.

Do Perl people really use regular expressions for all replacment? Isn't
that inefficient?
 
T

Toby A Inkster

Leif said:
Do Perl people really use regular expressions for all replacment?

I do, but that's just me being lazy. You could do stuff with index(),
substr(), etc, but why bother?
Isn't that inefficient?

Perl has a highly optimised regular expression engine. I tend to let the
Perl interpreter guys to the optimisation so I don't have to.
 
S

Safalra

Toby A Inkster said:
Leif said:
I just wrote a simple blog for myself (http://tw.ecritters.biz/), and I
want to add a comment feature. I can't let users use HTML in the posts,
because they could do all sorts of nasty things (their own CSS,
nonstandard HTML, ECMAScript, etc.), so how should I format them?

[snip Perl code escaping special characters]
This is in Perl. I see you're using PHP, so look into preg_replace instead
of my "=~ s#X#Y#g;" things.

The function htmlspecialchars() will perform all the escapes in one go:

http://www.php.net/manual/en/function.htmlspecialchars.php

--- Stephen Morley ---
http://www.safalra.com
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,484
Members
44,905
Latest member
Kristy_Poole

Latest Threads

Top