Code:
<form>
<textarea rows="5" cols="20" name="userInput" onfocus="this.value=former;" onblur="this.value=urlmatching(this.value);">
</textarea>
        </form>

<script>
var former='';
            function urlmatching(str){
var expression = /[-a-zA-Z0-9@:%_\+.~#?&//=]{2,256}\.[a-z]{2,4}\b(\/[-a-zA-Z0-9@:%_\+.~#?&//=]*)?/gi;
                    
                function urlmatching2(match){

                      var t = match;//'http://google.com';
                          return '<a href='+t+' target="_blank">'+t+'</a>';

                                }

                former=str;
                return str.replace(expression,urlmatching2);
            }
</script>
How secure is this script for url matching and replacement. Form to be submitted.

Though strip_tags($_POST['userInput'],'<a>') will be used at the back end after addslashes();