I have a comments section on my website, and so that they don't inject code or at least avoid it as much as possible, I don't allow the <script>
. I use the following function for it:
function evitamos_script($texto) {
$limpia = strip_tags($texto, '<b> <i> <u> <quote> <img> <center> <cite> <a> <div> <a> <blockquote>'); //EVITAMOS SCRIPTS
return $limpia;
}
It works well. The problem is that I would like, for example, users to be able to share tweets, embed them in the comment. This code is obtained by each user from Twitter, in the menu Insertar tweet
, copy it and paste it in the message.
The code that it pastes, by having the tag <script>
at the end, does not allow it, and instead of an embedded tweet appearing, simply text appears.
Is there any way to fix this?
The script to embed tweets would be for example:
<script async src="//platform.twitter.com/widgets.js" charset="utf-8"></script>
I put an example of what a user would paste, putting in a comment for example the following text (and the one <script>
at the end):
<blockquote class="twitter-tweet" data-lang="es">¡Semana de Indies en Xbox! Decenas de juegos en oferta temporal. Ya tenéis los Deals With Gold de esta semana.<a href="https://t.co/kj95gnhlBK">https://t.co/kj95gnhlBK</a>— LaXtore (@LaXtore) <a href="https://twitter.com/LaXtore/status/877010505570947072">20 de junio de 2017</a></blockquote> <script async src="//platform.twitter.com/widgets.js" charset="utf-8"></script>
The idea is that this script is executed, to achieve this result:
Obviously, without allowing users to abuse my system.
Goal
What you are wanting to do is allow a user to insert a tweet from the code that Twitter gives you from the menu of each tweet.
which generates code like the following:
Let's see, it has the labels
<blockquote>
,<p>
,<a>
and<script>
.You are already allowing users to include all of these tags except
<script>
. However, the script is always the same for all tweets. It is the one in charge of converting all theblockquote.twitter-tweet
files to the desired format.Proposal
The best solution in this case, it seems to me that:
<script>
added by the user.add the line
at the end of the page.
Code
It would be, in general, as follows:
Result
In other words, you would have a page like this for example:
Alternatives
I recommend you read the Twitter developer help page: Embed a Single Tweet , where they show you the different alternatives to embed a tweet in your page.
Important safety note
This directly answers your question. However, it is by no means safe . What prevents a user from submitting something like the following?
The only way to efficiently allow the user to add tags is with a markup format that you render on your end.