SkinbaseNova/app/Support/ForumPostContent.php

<?php

namespace App\Support;

class ForumPostContent
{
    public static function render(?string $raw): string
    {
        $content = (string) ($raw ?? '');

        if ($content === '') {
            return '';
        }

        $allowedTags = '<p><br><strong><em><b><i><u><ul><ol><li><blockquote><code><pre><a><img>';
        $sanitized = strip_tags($content, $allowedTags);

        $sanitized = preg_replace('/\son\w+\s*=\s*"[^"]*"/i', '', $sanitized) ?? $sanitized;
        $sanitized = preg_replace('/\son\w+\s*=\s*\'[^\']*\'/i', '', $sanitized) ?? $sanitized;
        $sanitized = preg_replace('/\s(href|src)\s*=\s*"\s*javascript:[^"]*"/i', ' $1="#"', $sanitized) ?? $sanitized;
        $sanitized = preg_replace('/\s(href|src)\s*=\s*\'\s*javascript:[^\']*\'/i', ' $1="#"', $sanitized) ?? $sanitized;

        $linked = preg_replace_callback(
            '/(?<!["\'>])(https?:\/\/[^\s<]+)/i',
            static function (array $matches): string {
                $url = $matches[1] ?? '';
                $escapedUrl = e($url);

                return '<a href="' . $escapedUrl . '" target="_blank" rel="noopener noreferrer" class="text-sky-300 hover:text-sky-200 underline">' . $escapedUrl . '</a>';
            },
            $sanitized,
        );

        return (string) ($linked ?? $sanitized);
    }
}