I asked this question awhile ago and never really visited the issue till
now. The response I got showed me how to disable everything, but I want to
allow basic html tags.
~My original question~
My next task is disable harmful tags/scripts in a full text field.
I want to store a bio type field and I am considering allowing html (to
allow a MySpace type of customization to the page), but I am really new to
this so I really don't know what kind of trouble I am asking for.
I'm sure that I need to block JavaScript, but are there other things (tags,
scripting, etc.) that can be input into my DB that will cause problems
either being stored as such or when accessed?
I'm thinking along the lines outlined below, I just need to complete the
list and would like some assistance form the seasoned vets here.
Again, thanks for the advice in advance.
Don
Here is what I have come up with so far, I guess my question is whether
str_replace is case sensitive. (i.e. javascript == JavaScript)
Also, will this catch character encoding like
javascript
Also, is there anything else that I should add to the list?
$bio =
str_replace('/<script|<%|<?|.js|vbscript|.php|object|xss|xml|.css|javascript
|script|meta|stylesheet|.swf|redirect|<\?|\?>|<%|%>/', "", $bio);
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
