On my site I have many different options for formatting text documents. I use CSS to put select quoted text into colored boxes, text links are hyperlinked, code is properly formatted when put in code tags, and a few other goodies. I do this for my own benefit.

I am now working on a bigger project where users can log into my site and create articles of their own. I am not too worried about security as I feel fairly comfortable with my knowledge of security safeguards, but I am sure there is still much I need to learn. In fact it is partly due to this that I am having a bit of trouble.

I am trying to figure out how an article should be processed. A user will create a document and submitted to the database. I do not want the user to be able to submit javascript that will be executed after being retrieved from the database. Is there a way to disable the javascript? Should I echo the html entities when it is retrieved from the database or before it is submitted to the database? I want to be able to process certain tags like bold, anchors, my premade quote tags and code tags using square brackets, but I want <b> to be displayed as <b>. whereas
text will be displayed as text.

Basically, I want to disable javascript hacking. I hope I am making some sense. For the rest I figure a simple str_replace will take care of most issues.

if you want to process formatting (bold, italic, etc.) using BBCode-style tags (e.g., , [i], etc.), then you can use htmlentities() to display regular html <tags> safely.

Either before or after may be appropriate, depending on your purpose.

1) Before. If you NEVER want the <tags> to be used as html, do htmlentities() before saving to the database. the encoded values ( &lt; tag &gt; ) will be saved, and then you're done.

2) After. If you might want to use the html tags (e.g., if the code block you're displaying is also available for download and use), then save them to the database intact and use htmlentities() when you display it. This offers more flexibility, but a little more risk, as you have to make sure you remember to apply htmlentities() [b]every time.

The problem is that I do want html tags to be used as html, but not javascript or css. I think I came up with a solution though.

urls will be processed prior to being submitted to the database into its bbcode equivalent so that


http://www.animeviews.com
will look like http://www.animeviews.com
. When the document is pulled from the database to be displayed, specific bbcode tags will be converted to their html equivalent, but

<script src="ajaxpagination.js" type="text/javascript"> or <style type="text/css"> or
<script type="text/javascript" src="http://www.animeviews.com/include/wz_tooltip.js"></script> or
</script>
<div style="float: left;" id="my_menu" class="sdmenu">
will be processed as html entities.