PHP: Allow users to make posts with certain tags

Question

Users on my site can post news items. But right now, it's all honor system as far as HTML goes.

function postNewsItem($subject, $body, $userid){
  $time = time();
  $subject = mysql_real_escape_string($subject);
  $body = mysql_real_escape_string($body);
  $q = "INSERT INTO news (subject, body, userid) VALUES ('$subject', '$body', '$userid')";
  $result = mysql_query($q, $this->connection);
  return 1;
}

I want users to be able to link to images, build tables, bold their words, etc etc, but I don't want them to be able to link to malicious scripts and what-not. I know there are ways to escape HTML from user input, but is there a way to do that while allowing certain tags?

Answer 1

Use HTML PUrifier. It allows you to basically create a whitelist of allows tags and it filters out anything else out.

Answer 2

you may use strip_tags and allow certain tags

www.php.net/strip_tags

<?php
$allow = '<table><thead><th><tr><td><tbody><tfoot><img><a><b><i><u>';

$body = mysql_real_escape_string(strip_tags($body, $allow));
?>

of course you will need sanitize some attributes