Whenever display text in an HTML document I always put it through htmlentities for a number of reasons. One of the reasons is that if the text contains HTML, I want the browser to display the HTML code, not render it.
The application I am writing requires that I still encode using htmlentities but hyper links need to be left alone.
Is there a way to do this efficiently using existing functions or do I need to implement this functionality?
The usual way is to pass any "possibly harmful data" through htmlspecialchars() before showing it as part of a webpage. You can do that for user's comment, note, etc.
For any URL that users entered, you can show it on screen using htmlspecialchars(). The URL will be displayed on screen as it is. (any & will be escaped to & but when shown on screen, it will become & again. Maybe your concern is when it is linked, as in <a href="______">text</a>, in which case you can escape the 4 characters: < > " ' because you don't want the & to be further escaped into &amp;, or you can use filter_var() to sanitize the url: http://us3.php.net/manual/en/function.filter-var.php
You can roll your own format (or use bbcode, markdown or others).
You can parse HTML (using a proper library; not regex, please) and selectively keep all the <a> tags.
You can use regex to allow an HTML-like <a>-tag syntax, say in the form of
<a href="..."[ rel="..."]>...</a>
but keep in mind that it will not be HTML. (HTML allows rel to be specified before href, for starters.)
Also see this question; particularly the comments to my answer.
