I am in the middle of creating a comment box where people can ask their questions.
I get a lot of people asking how do they do something which involves inputting code into the form.
The form goes through htmlpurifier to make sure its safe to use.
But when ever someone inputs echo codes etc it does not allow it. Or if someone inputs a div then it does not allow that either, even when wrapping in the < code >.
For instance this:
<code><div class="classname"></div></code>
will just add a div.
and
<code><?php echo $word; ?></code>
Will not show the code at all.
The way I have set this up the htmlpurifier is:
$content = $_POST['comment'];
$rawf = str_replace('<code>', '<pre><code>', $content);
$rawfp = str_replace('</code>', '</code></pre>', $rawf);
require_once '../Libs/htmlPurifier/library/HTMLPurifier.auto.php';
$purifierconfig = HTMLPurifier_Config::createDefault();
$purifierconfig->set('HTML.Allowed', 'b,a[href],i,em,br,code,pre');
$purifier = new HTMLPurifier($purifierconfig);
$clean_html = $purifier->purify($rawfp);
$ticketpost = str_replace('<a ', '<a rel="nofollow" ', $clean_html);
Then the $ticketpost is inserted into the database using PDO prepared statements.
Is there something I am not doing, or doing wrong?
If so please could you help.
Thanks