On Wed, May 14, 2008 at 11:38 AM, Robert Cummings <robert@xxxxxxxxxxxxx> wrote: > > > On Wed, 2008-05-14 at 11:18 -0400, Eric Butera wrote: > > On Tue, May 13, 2008 at 4:07 AM, James Dempster <letssurf@xxxxxxxxx> wrote: > > > http://htmlpurifier.org/ > > > > > > -- > > > /James > > > > > > > This is the only real solution. > > That depends... if I'm the webmaster and I want to input arbitrary HTML, > then htmlpurifier is unnecessary. > > > > Cheers, > Rob. > -- > http://www.interjinn.com > Application and Templating Framework for PHP > > OP said "users." Strip tags doesn't bother with tag attributes so that is a security hole. Any regex type solution will encounter the same set of issues. Htmlpurifier actually strips down and re-builds your html from the ground against a nice whitelist filtering system that you can customize to your needs. No nasty tags/attributes will get through unless you want them to. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
