> From: "Richard Lynch" <ceo@xxxxxxxxx> > Matt Palermo wrote: > > but just make sure that ending > > tags exist, so it doesn't screw up the rest of the page. Strip tags would > > just wipe out the HTML rather than allowing it and ending it safely. > > Strip tags will allow you to wipe out *DANGEROUS* HTML which will make > your web server a source of problems not only to you, but to me as well. > > Please use strip_tags to allow only the tags you *NEED* the users to be > able to use. > > It will only take you seconds, and it will save you (and us) a lot of > grief in the long run. strip_tags() is a rather worthless function, if you ask me. It strips such evil code as <grin> or anything else surrounded by < and >. It's "allowed tags" attribute is misleading, also. You can think you're safe by allowing <b> tags, but I can include onmouseover (or any other) events to trigger javascript and XSS attacks. You're better to roll your own solution or just run everything through htmlentities()/htmlspecialchars() and show the user exactly what they typed. I'm on a crusade against the use of strip_tags(), if you haven't figured that out yet. :) ---John Holmes... UCCASS - PHP Survey System http://www.bigredspark.com/survey.html -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
