3

I am currently using jQuery to check if the textarea has HTML in it: (and I will continue to use this)

   if ($('textarea#newMessage').val().match(/<(\w+)((?:\s+\w+(?:\s*=\s*(?:(?:"[^"]*")|(?:'[^']*')|[^>\s]+))?)*)\s*(\/?)>/)) {
      $('textarea#newMessage').focus();
      $('#error').html('Error: HTML is not aloud. Please remove all of the HTML in your message to continue.')
      .click(function() { $('#newMessage').focus(); })
      .stop(true,true)
      .fadeIn(800)
      .delay(1500)
      .fadeOut(200);
      return false;
   }

But, how can I use PHP to do this same thing? If someone disables JavaScript, they can easily submit the form with HTML in it. Is there a way for PHP to do this also?

Improve this question
2

5 Answers 5

Reset to default
4 
if ($text != strip_tags($text))
    // text contains html

see strip_tags

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

2

This will catch tags and no text.

$textareaname = (isset($_POST['textareaname']))
                ? $_POST['textareaname']
                : '';

if ($textareaname !== strip_tags($_POST['textareaname']))
{
    // contains tags
}

elseif (trim($textareaname ) === '')
{
    // textarea is empty
}

else
{
    // OK! do something
}

Notes:

  1. If the form is sent without anything in the textarea, $_POST['textareaname'] won't exist and PHP will throw an error when you try to use it.
  2. If someone sends nothing but spaces trim() will catch it.
Improve this answer

4 Comments

I kinda actually rather have the error message. I would accept your answer, but I rather have the error message as if they don't have JavaScript enabled, they might be trying to bypass my jQuery checking, which would mean that it should show an error even with the PHP. But thanks so much for telling me about trim()!! :) Also, I might not want to forgo the jQuery method because I am going to be using AJAX to submit the form.
@Nathan: In light of your comment, I updated the code to check for tags and empty textareas with nothing but spaces.
Thanks so much! :) What does the ? and other stuff do in the variable? Is it part of isset()?
a ? b : c is a shortcut for if(a) b else c. For a better explanation see ternary operators in the manual or Reference - What does this symbol mean in PHP?
1

Use preg_match() with the regular expression you already got. And by the way: Instead of "aloud" you probably mean "allowed" ;)

Improve this answer

1 Comment

Yep, I meant "allowed" LOL. Thanks.
1

First of all, you may use exactly same regexp via preg_match

Besides, you want to restrict HTML to avoid changing anything in your code structure.
So, you may just use htmlspecialchars to print HTML as plain text.
But If you really need check, are they exists, you may just check symbols < and > that can break you markup by preg_match('~[<>]~',..) or just to strpos'es

Improve this answer

1 Comment

Yeah, well the reason I'm restricting HTML is because the textarea is a reply thing, and when you reply it gets added to the database and an email gets send. I don't want extra HTML in the email. (someone could easily add JavaScript to the reply with <script> tags and mess something up)
1

Try this:

if(preg_match("/<[^>]*>/", $_POST['textareaname'])){
   //contains html tags
} else {
   //dosomething...
}
Improve this answer

7 Comments

Will this check if the textarea is empty? (I also needed this too) If so thanks also.
edited.. remove html tags and check if the textarea is empty.
Will this remove them or show an error if it has HTML tags in it?
For increased usability you could have PHP automatically strip the tags instead of requiring the user to do it. Also: isset($_POST['textareaname']) will check if the textarea is empty. See isset in the manual.
@Herbet What if someone puts in some spaces? Will it count as not empty with isset()? I have been trying to figure that out for a while because right now I just use if($value = '') { and that allows the user to just type a space and send it without anything in it.
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.