On Mon, Jan 12, 2009 at 10:42 AM, wrote:
>
> Google for BBCode.
>
> It's just str_replace(array('[b]','[/b]'),array('',''),$text) in the
> end.
>
> And it's not really going to be any better than just letting them type
> and if that is needed.
>
> Your sanitization process will be the same no
Google for BBCode.
It's just str_replace(array('[b]','[/b]'),array('',''),$text) in the end.
And it's not really going to be any better than just letting them type and
if that is needed.
Your sanitization process will be the same no matter what, and will have the
same flaws/risks eith
On Sun, 11 Jan 2009 09:59:22 -0500, tedd.sperling wrote:
>I've tried stripping out all Gremlins, like so:
That looks like a great (slow) way to rip out characters that probably
ought to be there, like left and right single and double quotes, em and
en dashes, ellipses, copyright and trademark sym
G'day Tedd,
>Yes, when you have intelligent and cooperative clients -- have
>any to spare?
Hey, you keep your grubby mitts off my intelligent and cooperative
clients, it took a while to get them that way :)
Let's face it: people who pay other people to do a job for them usually
don't understand
c...@l-i-e.com wrote:
Rule #1.
Never, ever, ever, alter the user's input, EXCEPT for sanitizing/filtering.
Specifically, do NOT add tags in place of newlines.
Store the newlines.
Upon OUTPUT, you can use nl2br() to get tags.
Or str_replace if you want instead.
This is crucial as a habit, d
At 9:02 AM -0500 1/11/09, Eric Butera wrote:
I tried using tidy to clean up some of that stuff but it was giving me
even more problems. I enjoyed having valid docs with all the crap
ripped out, but I use my editor blocks on lots of different parts of
the site, so having it remove/combine style t
At 11:24 AM +1100 1/11/09, Ross McKay wrote:
Nathan Rixham wrote:
HTML is a markup language used to describe the structure of a document;
presentation of HTML is controlled by either a client, with optional
instructions via attributes (bad) or css (good)
I almost agree, except that there are
On Sun, Jan 11, 2009 at 8:50 AM, tedd wrote:
> At 11:12 AM +1100 1/11/09, Ross McKay wrote:
>>
>> With a little cooperation from the client, and a properly configured
>> TinyMCE, you can fairly easily limit what HTML tags they use.
>
> Yes, when you have intelligent and cooperative clients -- have
At 11:19 AM +1100 1/11/09, Ross McKay wrote:
tedd wrote:
The argument over what HTML is, will never be resolved.
I say it's a delivery mechanism and tags such as and are
unwanted elements. They simply confuse/blur the purpose of the
language.
I should have said and , I guess.
No, my com
At 11:12 AM +1100 1/11/09, Ross McKay wrote:
With a little cooperation from the client, and a properly configured
TinyMCE, you can fairly easily limit what HTML tags they use.
Yes, when you have intelligent and cooperative clients -- have any to spare?
You can
then provide a set of CSS clas
At 7:02 PM -0500 1/10/09, Phpster wrote:
That can and should be done with a simple str_replace() on the
display portion of the code.
Bastien
Really?
Then how do you handle these examples of client input?
This is I have to say.
This is what I have to say.
This is what I have to say.
This
Ashley Sheridan wrote:
>FCKEditor is a good editor (although poorly named!) that allows you to
>set it not to use and tags and force it to convert them to
> and instead. Couple this with a decent regex and you can
>strip out the extra style tags which result from a pasted MSWord
>selection.
Li
I agree with others that in most cases you should be storing input as it is
presented to you once POSTed (with the usual caveats of escaping etc to make
INSERTing / UPDATEing possible).
This is exactly what you are doing when accepting input from FCKEditor etc.
Your input contains markup, and that
On Sat, Jan 10, 2009 at 8:51 PM, Murray wrote:
> Interesting, I've never seen this presented as an issue of ethics before. I
> think I can see your point, but I'd suggest that there's an interplay of
> ethical obligations between a user and the host / creator of an application
> in which perhaps t
Interesting, I've never seen this presented as an issue of ethics before. I
think I can see your point, but I'd suggest that there's an interplay of
ethical obligations between a user and the host / creator of an application
in which perhaps the user should or in many cases has to accept a
de-prior
On Sun, 2009-01-11 at 11:44 +1000, Murray wrote:
> I don't know why, but I always baulk when I see HTML and, for example, XML
> etc described as a 'language'.
>
> I may well be wrong, but these always seem to be more appropriately
> described as a 'syntax' rather than a 'language', at least in th
I don't know why, but I always baulk when I see HTML and, for example, XML
etc described as a 'language'.
I may well be wrong, but these always seem to be more appropriately
described as a 'syntax' rather than a 'language', at least in the computer
science sense. Of course, maybe these are essenti
On Sun, 2009-01-11 at 11:19 +1100, Ross McKay wrote:
> tedd wrote:
>
> >The argument over what HTML is, will never be resolved.
> >
> >I say it's a delivery mechanism and tags such as and are
> >unwanted elements. They simply confuse/blur the purpose of the
> >language.
>
> I should have said
On Sat, 10 Jan 2009 17:01:28 -0500, Stephen wrote:
>How do you suggest dealing with a need to allow italics, bold,
>underlines, etc?
Give them a rich text editor, IMHO. That way, you get close tags!
Some examples:
http://tinymce.moxiecode.com/
http://www.fckeditor.net/
http://developer.yahoo.c
Ross McKay wrote:
Nathan Rixham wrote:
HTML is a markup language used to describe the structure of a document;
presentation of HTML is controlled by either a client, with optional
instructions via attributes (bad) or css (good)
I almost agree, except that there are attributes that de
Nathan Rixham wrote:
>HTML is a markup language used to describe the structure of a document;
>presentation of HTML is controlled by either a client, with optional
>instructions via attributes (bad) or css (good)
I almost agree, except that there are attributes that define the
behaviour of HTML
tedd wrote:
>The argument over what HTML is, will never be resolved.
>
>I say it's a delivery mechanism and tags such as and are
>unwanted elements. They simply confuse/blur the purpose of the
>language.
I should have said and , I guess. Of course, copypasta from
another rich text editor can
On Sat, 10 Jan 2009 10:40:43 -0500, tedd.sperling wrote:
>[...]
>One might want to design a CMS for a client (I've done it) such that
>you limit the client's ability to inject presentation choices, such
>as using bold/italic tags. But that also requires more programming
>effort to determine if
That can and should be done with a simple str_replace() on the display
portion of the code.
Bastien
Sent from my iPod
On Jan 10, 2009, at 5:01 PM, Stephen wrote:
c...@l-i-e.com wrote:
Rule #1.
Never, ever, ever, alter the user's input, EXCEPT for sanitizing/
filtering.
Specifically, do
c...@l-i-e.com wrote:
Rule #1.
Never, ever, ever, alter the user's input, EXCEPT for sanitizing/filtering.
Specifically, do NOT add tags in place of newlines.
Store the newlines.
Upon OUTPUT, you can use nl2br() to get tags.
Or str_replace if you want instead.
This is crucial as a habit, dow
tedd wrote:
At 2:19 AM +1100 1/11/09, Ross McKay wrote:
On Sat, 10 Jan 2009 09:58:24 -0500, tedd.sperling wrote:
Never store any html whatsoever in a database.
HTML is presentation and is NOT data.
Except when HTML is data, e.g. CMS. And it's better to let people input
that using something
At 2:19 AM +1100 1/11/09, Ross McKay wrote:
On Sat, 10 Jan 2009 09:58:24 -0500, tedd.sperling wrote:
Never store any html whatsoever in a database.
HTML is presentation and is NOT data.
Except when HTML is data, e.g. CMS. And it's better to let people input
that using something like TinyMCE
At 3:19 PM + 1/10/09, Nathan Rixham wrote:
tedd wrote:
While one can look at it as defensive programming, it has a larger
scope than that.
Certainly you want to sanitize all input from users to prohibit
injections, but more than that you want to keep data separate from
presentation.
At 11:58 AM -0500 1/9/09, Daniel Brown wrote:
// Convert HTML linebreak tags to paragraph tags.
Daniel:
-snip code-
Nice function.
Thanks,
tedd
--
---
http://sperling.com http://ancientstones.com http://earthstones.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe
tedd wrote:
At 11:43 AM -0800 1/9/09, VamVan wrote:
Rule #1.
Never, ever, ever, alter the user's input, EXCEPT for
sanitizing/filtering.
Specifically, do NOT add tags in place of newlines.
Store the newlines.
100% I agree. Thats called the act of defensive programming. We have no
right over
On Sat, 10 Jan 2009 09:58:24 -0500, tedd.sperling wrote:
>Never store any html whatsoever in a database.
>
>HTML is presentation and is NOT data.
Except when HTML is data, e.g. CMS. And it's better to let people input
that using something like TinyMCE than to let them put in tags
themselves and
At 11:43 AM -0800 1/9/09, VamVan wrote:
Rule #1.
Never, ever, ever, alter the user's input, EXCEPT for sanitizing/filtering.
Specifically, do NOT add tags in place of newlines.
Store the newlines.
100% I agree. Thats called the act of defensive programming. We have no
right over altering user
At 7:38 PM + 1/9/09, c...@l-i-e.com wrote:
Rule #1.
Never, ever, ever, alter the user's input, EXCEPT for sanitizing/filtering.
Specifically, do NOT add tags in place of newlines.
Store the newlines.
Upon OUTPUT, you can use nl2br() to get tags.
Or str_replace if you want instead.
This i
c...@l-i-e.com wrote:
> Rule #1.
> Never, ever, ever, alter the user's input, EXCEPT for sanitizing/filtering.
> Specifically, do NOT add tags in place of newlines.
> Store the newlines.
>
> Upon OUTPUT, you can use nl2br() to get tags.
> Or str_replace if you want instead.
I would agree with
On Fri, Jan 9, 2009 at 14:43, VamVan wrote:
>
> 100% I agree. Thats called the act of defensive programming. We have no
> right over altering user input but yes we have right to display what we want
> user see on the site.
Well, of course you have the _right_ to do it --- as long as it's
lega
>> Rule #1.
>> Never, ever, ever, alter the user's input, EXCEPT for
>> sanitizing/filtering.
>
>Probably shouldn't recommend sanitizing then. Only validate & reject. :P
mea culpa
I meant ESCAPING, of course.
If it doesn't pass sanitizing/filtering, it's probably better to just "reje
Rule #1.
Never, ever, ever, alter the user's input, EXCEPT for sanitizing/filtering.
Specifically, do NOT add tags in place of newlines.
Store the newlines.
100% I agree. Thats called the act of defensive programming. We have no
right over altering user input but yes we have right to display wha
On Fri, Jan 9, 2009 at 2:38 PM, wrote:
> Rule #1.
> Never, ever, ever, alter the user's input, EXCEPT for sanitizing/filtering.
Probably shouldn't recommend sanitizing then. Only validate & reject. :P
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/
Rule #1.
Never, ever, ever, alter the user's input, EXCEPT for sanitizing/filtering.
Specifically, do NOT add tags in place of newlines.
Store the newlines.
Upon OUTPUT, you can use nl2br() to get tags.
Or str_replace if you want instead.
This is crucial as a habit, down the road, whe
On Fri, Jan 9, 2009 at 11:15, Stephen wrote:
>
> Thank you! That is the way I will do this.
>
> I may want to change to but that should be easy.
(\r)?(\n)?/Ui","$1$2",$str);
return $str;
}
$str = "This is an example of the use of this function.It
should replace only double tags.";
e
Daniel Brown wrote:
I want it to display with the line gaps.
Why not store it as plain text in the database, then run it
through nl2br() when you SELECT it from the database for display?
Thank you! That is the way I will do this.
I may want to change to but that should be easy.
At 8:12 AM -0500 1/9/09, Stephen wrote:
I have a form to accept free text in a textarea field. The entry is
stored in a database.
If the user enters:
abc
def
ghi
I want it to finally display like that.
If they enter
abc
def
ghi
I want it to display with the line gaps.
I use CSS so in th
On Fri, Jan 9, 2009 at 08:12, Stephen wrote:
> I have a form to accept free text in a textarea field. The entry is stored
> in a database.
>
> If the user enters:
>
> abc
> def
> ghi
>
> I want it to finally display like that.
>
> If they enter
>
> abc
>
> def
>
> ghi
>
> I want it to display with
43 matches
Mail list logo
