Re: Re: Security, Late Nights and Overall Paranoia

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 7/8/05, Jason Barnett <jason.barnett@xxxxxxxxxxxxx> wrote:
> The typical way that forums handle this is to use what is called
> "BBCode".  In short, you have a non-HTML way for users to supply
> information that will produce markup instead of just plain text.  So if
> you want to allow italics, bolds, URL's, etc. then you have some codes
> for it like:
> 
> [i]This text will be in italics.[/i]
> [b]This text will be in bold.[/b]
> [url=http://php.net]This will be a URL that points to php.net.[/url]

While I do not disagree with the information content of your post, I
do think this sort of thing is pretty silly.

If you're gonna allow the <i> tag then just allow it.  There's no
point in allowing something else just to spend CPU cycles converting
it to what you could have allowed in the first place.  It doesn't make
it more safe that way.  Just clean out the stuff you don't want and be
done with it.

define( 'ALLOWED_TAGS',
'<a><b><blockquote><br><cite><dd><div><dl><dt><ecode><em><i><li><ol><p><strong><tt><ul>'
);

$string = strip_tags( $string, ALLOWED_TAGS );

Cleaning an <a> tag can be accomplished just as easily as cleaning a [url] tag.


-- 
Greg Donald
Zend Certified Engineer
MySQL Core Certification
http://destiney.com/

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux