Re: Security Question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Here is part of my proxie tags to html tags translation array. Looks pretty safe to me. There is other code to recognize paragraphs and lists, etc.

$translate_array= array(
'<link>'		=> '<a href="http://',
'</link>'		=> '</a>',
'<slink>'		=> '<a href="https://',
'</slink>'		=> '</a>',
'<label>'		=> '" target="_blank">',
"<email>"		=> '<a href="mailto:',
"<name>			=> "\">",
'</email>'		=> '</a>',
'<photo>'		=> "<img class=\"floatleft\" alt=\"mug\" src=\"$scr",
'</photo>'  		=> '">',
'<blue-line>'		=> "<div class=\"horzline\"></div>\n",
'<blue_line>'		=> "<div class=\"horzline\"></div>\n",
'<images>'		=> "<div class=\"images\">",
'</images>'		=> "</div>\n",
'<no_banner>'		=> '',
'<no_menu>'		=> '',
'<return>' => "<div class=\"return\"><a style=\"text-decoration:underline\" href=\"$request_url\">Return to previous page</a></div>\n",
	 );

Jochem Maas wrote:
Al wrote:
Good point about the '<script> evil haxor code here; </script>'.  That's
bad for our users, not the site, per se.

what is bad for your users is bad for your site, on top of that
the script is running in the context of your domain - all sorts of
nasty possibilities that could affect your site.

Raw text to html is primarily done with a series of preg_replace()
operations.

what/how [exactly] the transformation is done determines
whether your safe.

No include() or exec() allowed near the text.

Sounds like I'm in pretty good shape.

maybe, maybe not - see above.

(do you practice any sports? ;-P)

...

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux