Here is the line of code I have which works great:
$content = htmlspecialchars($_POST['content'], ENT_QUOTES);
But what I would like to do is allow only certain types of HTML code to pass through without getting converted. Here is the list of HTML code that I would like to have pass:
<pre> </pre>
<b> </b>
<em> </em>
<u> </u>
<ul> </ul>
<li> </li>
<ol> </ol>
And as I go, I would like to also be able to add in more HTML later as I think of it. Could someone help me modify the code above so that the specified list of HTML codes above can pass through without getting converted?
I suppose you could do it after the fact:
// $str is the result of htmlspecialchars()
preg_replace('#<(/?(?:pre|b|em|u|ul|li|ol))>#', '<\1>', $str);
It allows the encoded version of <xx> and </xx> where xx is in a controlled set of allowed tags.
Or you can go with old style:
$content = htmlspecialchars($_POST['content'], ENT_QUOTES);
$turned = array( '<pre>', '</pre>', '<b>', '</b>', '<em>', '</em>', '<u>', '</u>', '<ul>', '</ul>', '<li>', '</li>', '<ol>', '</ol>' );
$turn_back = array( '<pre>', '</pre>', '<b>', '</b>', '<em>', '</em>', '<u>', '</u>', '<ul>', '</ul>', '<li>', '</li>', '<ol>', '</ol>' );
$content = str_replace( $turned, $turn_back, $content );
I improved the way Jack attacks this issue. I added support for <br>, <br/> and anchor tags. The code will replace fist href="..." to allow only this attribute to be used.
$str = preg_replace(
array('#href="(.*)"#', '#<(/?(?:pre|a|b|br|em|u|ul|li|ol)(\shref=".*")?/?)>#' ),
array( 'href="\1"', '<\1>' ),
$str
);
You could use strip_tags
$exceptionString = '<pre>,</pre>,<b>,</b>,<em>,</em>,<u>,</u>,<ul>,</ul>,<li>,</li>,<ol>,</ol>';
$content = strip_tags($_POST['content'],$exceptionString );
来源:https://stackoverflow.com/questions/12819804/how-do-i-use-htmlspecialchars-but-allow-only-specific-html-code-to-pass-through