How to prevent users from submitting unclosed tags

+2 Yousef Al-Hadhrami · December 26, 2014
Hey all
I have created a CMS It's fine for all properties of pages and posts except for content because atleast I need to make user able to make text bold, italic, insert links, and quotes
The problem is some times users forgets to close tag which breaks page HTML

This is what I use right now for outputing html tags

if($current_page){ ?>
<h3>Edit Page</h3>
Menu name: <?php echo htmlentities($current_page["page_name"]); ?><br />
Position: <?php echo $current_page["position"]; ?><br />
Type: <?php echo $current_page["type"]; ?><br />
Visible: <?php echo $current_page["visible"] == 1 ? 'yes' : 'no'; ?><br />
Content:<br />
<div class="view-content-edit">
<?php echo html_entity_decode(nl2br($current_page["content"])); ?>
<a href="edit_page.php?page=<?php echo urlencode($current_page["id"]); ?>">Edit Page</a>

I inserted the data via mysql but with htmlentities()
what I want is to prevent user from inputting some tags that can break html like </div> and make sure they close all tags
a tip on creating a similar post form like thenewboston's one will be good :)

Post a Reply


Oldest  Newest  Rating
+1 c student · December 26, 2014
you can escape the characters which would affect your script tags (i think?) or you can encode special characters for example: & becomes &amp;

google is your best friend.
0 Alex . · December 29, 2014
why not have a js check to see if <strong> exists then alert "please include </strong> tag" ?
0 Raphael de Oliveira · January 2, 2015
Another option would be just allowing the user to use only your own tags, which you can str_replace later on, for example

 Becomes <strong>
[/ b ] Becomes </strong>

But back to your question, one way you could do it it's to check for a closure tag using str_pos (which is a function that gives the position of a string within a string, if the return is 0, then we can just assume it isn't there)

if (strpos($userSubmittedData, "</strong>") < 1) {
$userSubmittedData = $userSubmittedData . "</strong>"
0 Yousef Al-Hadhrami · December 27, 2014
Thanks for the replay, and true google is my friend but not always, I already used str_replace(); function to replace some characters with that, but this is not the main point right now, I am aiming to make sure the submitted query has well constructed html such as


instead of user just submitting

I want it to only submit query that has all tags closed because if he/she did not close the tag, it will affect my whole HTML page including the static section of the page making the whole text bold
0 Ron Butcher · December 31, 2014
Instead of making users use HTML tags, have them use a WYSIWYG editor that will do it for them.  I like tinymce myself.  It is very easy to setup and use.  And the biggest bonus:  it's free!
  • 1



Server-side, HTML embedded scripting language used to create dynamic Web pages.