How to escape user input for display on a page, and turn URLs into links.

htmlize_content.php

<?php

$content = '
Text with newlines, possible XSS attacks and URLs.

<script type="text/javascript">alert("this could be an XSS attack.");</script>

The URL to my github page is https://github.com/geon.
';


/*

	0 - The URL as written in the text.
	|-------------------------------------------------|

	     2 - The "s" in "https". 
	     |--|
	
	              3 - Aything after "http://".
	              |-------------|

	                               4 - URL without heading "http://", but with "www.".
	                               |------------------|

	(http(s)?:\/\/([^\s]*[^\s\.]))|(www\.[^\s]*[^\s\.])
	
	The "body" of the URL is matched with "[^\s]*[^\s\.]", meaning anything until
	whitespace, but not including trailing dots. (A URL is commonly written in the
	end of a scentence.)
	
	Reconstruct the URL with "http${2}://${3}${4}".
	The backreference to 2 means we can write out the "http" to make the
	URLs missing it work, and still make https work.
	Both 3 and 4 are used, since only either one will will ever match.

*/


// Wrap the content in a p-tag.
$content_htmlized = '<p>'.
	// Replace double newlines with a new p-tag and single newlines with a br-tag.
	strtr(
		// Add link-tags to URLs.
		preg_replace(
			'/(http(s)?:\/\/([^\s]*[^\s\.]))|(www\.[^\s]*[^\s\.])/uis',
			'<a target="_blank" href="http${2}://${3}${4}">${0}</a>',
			htmlspecialchars($content)
		),
		array("\n\n" => "</p>\n<p>", "\n" => "<br />\n")
	).
'</p>';


// The htmlized content can be printed straight out on the page.
print($content_htmlized);