Allow HTML to be entered in text area

Question

So I don't know if I'm looking for the wrong thing on Google or Stackoverflow, but I want to achieve this-

There is a text-area in a form and I want the user to be able to enter HTML tags.

So the user would enter this in to the text area:

<html>
<p>Hello World</p>
</html>

This is then submitted by AJAX and JavaScript to the database however is seems to get rid of the tags.

What I'm wanting is to keep the tags when the data is returned, however not actually affect the other data in the text area. So example if I was to echo out the content of the text area it would echo out:

<html>
<p>Hello World</p>
</html>

as plain text.

Okay I have gone down the root of using htmlspecialchars, which does what I wanted, as it displays the tags as plain text. However I would like some tags to be executed sill such as the bold tag. How would I combine htmlspecialchars and striptags to allow tags to be displayed as plain text but also allow the tags specified in the striptags to be executed.

Answer 1

There is nothing you need (or can) do to allow users to enter HTML tags. The reason is that the input is read as plain text anyway, so any < character is taken just as-is. So if the user types <a> , these three characters get inserted into the form data.

What you do with the data then, server-side or otherwise, may or may not handle HTML tags. It's all up to your code. If you simply echo everything as such on a generated HTML page, then HTML markup will have the usual effect. If you wish to render it as text, as visible tags, then simply encode any & as & and any < as < .

Answer 2

您无需执行任何操作，只要您不过滤用户提交的文本，它就会自动执行。

Answer 3

NB If you want to echo the entered HTML back to users, be very aware of potential malicious code in the entered HTML. This security issue is known as Cross-site scripting (or XSS).

In other words: never trust the entered code