Closing Tags Out

[Dank]

Hi,

I have made a forum of my own and allow members to have signatures. However, if they mess up the HTML in the signature, the rest of my page gets messed up, as they maybe forgot to close out a tag or something of that nature. Any suggestions on how to deal with this? (besides not allowing HTML in the signatures which is what I'm doing now...)

I'm sorry if this has already been asked, I searched and couldn't find anything specific to this. Thanks for any help!

[Phil.Roberts]

Fraid not. If you're gonna grant your users that kind of freedom then you're essentially trusting them to know what theyre doing. There are too many way to, for example, screw up table code to guard against it in any useable way.

Having said that there IS a PHP class available on the net that can filter out specific html tags. This might be of use to you if you want to restrict your users to basic text-formatting and deny them the use of tables and javascript and the like.

I still have the files, I can zip them up and email them if you like.

[Anarchos]

Make your own pseudo-html and only parse the tags if the closing tag is there. For example:
$text = preg_replace("/\[&#098;](.*)\[\/&#098;]/Ui","<b>$1</b>",$text);

This will only turn the text bold if the closing [/b] is there. Make sure at the beginning that you convert all <'s to &amp;lt;'s

[mattjacob]

It's a security hole to enable HTML in sigs or forums at all, so I'd just turn it off.

[Anarchos]

What makes it a security hole?

[iTec]

Originally posted by Anarchos
What makes it a security hole?

we can start with javascript, allow javascript and they can pop-up windows ect ect, redirect users to there own website ect ect

[Anarchos]

That's not a security hole, but you can just replace <script with "". Besides that, my whole point was to not allow HTML, and instead create a pseudo-html parser.

[mattjacob]

It's not secure because on some BBS software, you can gain access to the admin's/mod's passwords or other people's passwords. It's not pretty.