How can I check if the value of a textarea has HTML in it using PHP?

Question

I am currently using jQuery to check if the textarea has HTML in it: (and I will continue to use this)

   if ($('textarea#newMessage').val().match(/<(\w+)((?:\s+\w+(?:\s*=\s*(?:(?:"[^"]*")|(?:'[^']*')|[^>\s]+))?)*)\s*(\/?)>/)) {
      $('textarea#newMessage').focus();
      $('#error').html('Error: HTML is not aloud. Please remove all of the HTML in your message to continue.')
      .click(function() { $('#newMessage').focus(); })
      .stop(true,true)
      .fadeIn(800)
      .delay(1500)
      .fadeOut(200);
      return false;
   }

But, how can I use PHP to do this same thing? If someone disables JavaScript, they can easily submit the form with HTML in it. Is there a way for PHP to do this also?

See http://stackoverflow.com/questions/5732758/detect-html-tags-in-a-string — Buddy, Aug 28 '11 at 18:55

score 4 · Answer 1 · answered Aug 28 '11 at 18:57

4

if ($text != strip_tags($text))
    // text contains html

see strip_tags

answered Aug 28 '11 at 18:57

harpax

5,986
5
35
49

Herbert · Accepted Answer · 2011-08-29T04:59:01.530

2

This will catch tags and no text.

$textareaname = (isset($_POST['textareaname']))
                ? $_POST['textareaname']
                : '';

if ($textareaname !== strip_tags($_POST['textareaname']))
{
    // contains tags
}

elseif (trim($textareaname ) === '')
{
    // textarea is empty
}

else
{
    // OK! do something
}

Notes:

If the form is sent without anything in the textarea, $_POST['textareaname'] won't exist and PHP will throw an error when you try to use it.
If someone sends nothing but spaces trim() will catch it.

edited Aug 29 '11 at 04:59

answered Aug 28 '11 at 19:45

Herbert

5,698
2
26
34

I kinda actually rather have the error message. I would accept your answer, but I rather have the error message as if they don't have JavaScript enabled, they might be trying to bypass my jQuery checking, which would mean that it should show an error even with the PHP. But thanks so much for telling me about `trim()`!! :) Also, I might not want to forgo the jQuery method because I am going to be using AJAX to submit the form. – Nathan Aug 29 '11 at 04:36
@Nathan: In light of your comment, I updated the code to check for tags and empty textareas with nothing but spaces. – Herbert Aug 29 '11 at 05:00
Thanks so much! :) What does the `?` and other stuff do in the variable? Is it part of `isset()`? – Nathan Aug 29 '11 at 05:35
`a ? b : c` is a shortcut for `if(a) b else c`. For a better explanation see [ternary operators](http://php.net/manual/en/language.operators.comparison.php#language.operators.comparison.ternary) in the manual or [Reference - What does this symbol mean in PHP?](http://stackoverflow.com/questions/3737139/reference-what-does-this-symbol-mean-in-php) – Herbert Aug 29 '11 at 10:20

Kakashi · Answer 3 · 2011-08-28T23:51:53.783

1

Try this:

if(preg_match("/<[^>]*>/", $_POST['textareaname'])){
   //contains html tags
} else {
   //dosomething...
}

edited Aug 28 '11 at 23:51

answered Aug 28 '11 at 18:56

Kakashi

2,165
14
19

Will this check if the textarea is empty? (I also needed this too) If so thanks also. – Nathan Aug 28 '11 at 18:56
edited.. remove html tags and check if the textarea is empty. – Kakashi Aug 28 '11 at 18:58
Will this remove them or show an error if it has HTML tags in it? – Nathan Aug 28 '11 at 19:06
For increased usability you could have PHP automatically strip the tags instead of requiring the user to do it. Also: `isset($_POST['textareaname'])` will check if the textarea is empty. See [isset](http://us3.php.net/manual/en/function.isset.php) in the manual. – Herbert Aug 28 '11 at 19:34
@Herbet What if someone puts in some spaces? Will it count as not empty with `isset()`? I have been trying to figure that out for a while because right now I just use `if($value = '') {` and that allows the user to just type a space and send it without anything in it. – Nathan Aug 28 '11 at 19:49
isset makes sure the array key (in this case "textareaname") has actually been set. You should use it to insure that the variable $_POST['textareaname'] exists before trying to do anything with it. See my answer for more details. @RiaD - What in the world are you talking about? – Herbert Aug 28 '11 at 21:44
@RiaD - my apologies. Kakashi edited his answer and I didn't catch it. I understand what you're talking about now. :p – Herbert Aug 28 '11 at 21:56

score 1 · Answer 4 · answered Aug 28 '11 at 18:56

1

Use preg_match() with the regular expression you already got. And by the way: Instead of "aloud" you probably mean "allowed" ;)

answered Aug 28 '11 at 18:56

str

42,689
17
109
127

Yep, I meant "allowed" LOL. Thanks. – Nathan Aug 28 '11 at 18:57

score 1 · Answer 5 · answered Aug 28 '11 at 19:41

1

First of all, you may use exactly same regexp via preg_match

Besides, you want to restrict HTML to avoid changing anything in your code structure.
So, you may just use htmlspecialchars to print HTML as plain text.
But If you really need check, are they exists, you may just check symbols < and > that can break you markup by preg_match('~[<>]~',..) or just to strpos'es

answered Aug 28 '11 at 19:41

RiaD

46,822
11
79
123

Yeah, well the reason I'm restricting HTML is because the textarea is a reply thing, and when you reply it gets added to the database and an email gets send. I don't want extra HTML in the email. (someone could easily add JavaScript to the reply with ` – Nathan Aug 28 '11 at 19:46

How can I check if the value of a textarea has HTML in it using PHP?

5 Answers5