On Thu, 2007-02-08 at 15:32 -0700, Don wrote: > > I asked this question awhile ago and never really visited the issue till > > now. The response I got showed me how to disable everything, but I want to > > allow basic html tags. > > > http://us3.php.net/strip_tags > > You can use the optional second parameter to specify tags which should not > be stripped. > > HTH, > > Brad > > > I ended up using strip_tags (thanks Brad) > > But to disable other ways of getting javascript to run I also included > this.... > > $pattern = > array('/(javascript)/','/([jJ(j)][aA(a)][vV(v)][aA(a)][sS( > 5)][cC(c)][rR(r)][iI(i)][pP(p)][tT(t)])/','/(\.[jJ(j) > ][sS(s)])/','/([xX][sS(s)][sS(s)])/','/([xX][mM][lL])/'); > > $candidateNewBio = preg_replace($pattern, '', $candidateNewBio); > > Is this worthwhile or a waste of time, because it seems to really protect > your site, you need have a contingency for every possible attack.... And I > don't even know how some of this stuff is even working with my level of > understanding Like a previous poster said... you need to be smarter than that. Markup the entire document via htmlspecialchars() then replace basic tags with real tags. So... <?php $safe = htmlspecialchars( $content ); $safe = str_replace( '<b>', '<b>', $safe ); ?> Better yet, switch to something like BBCode. Why you ask... because let's say you do the following: <?php $safe = strip_tags( $content, '<b>' ); ?> All Joe Hacker needs to do is submit the following: ----- This is tricky <b onmouseover="document.location = 'www.mypr0n.com';"> ----- This line of attack is clearly warned about in the documentation for strip_tags(). Cheers, Rob. -- .------------------------------------------------------------. | InterJinn Application Framework - http://www.interjinn.com | :------------------------------------------------------------: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `------------------------------------------------------------' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
