Gabriel Sosa wrote:
this one
strip_tags('%3C%68%31%3E%68%65%6C%6C%6F%20%77%6F%72%6C%64%3C%2F%68%31%3E');
aka <h1>hello world</h1> using urlencode from http://ha.ckers.org/xss.html
take care the possible xss
saludos
gabriel
On Wed, May 14, 2008 at 11:56 PM, Yi Wang <wangyi6854@xxxxxxxxx> wrote:
Can anyone provide some code that can't be stripped by strip_tags?
On 5/15/08, Eric Butera <eric.butera@xxxxxxxxx> wrote:
On Wed, May 14, 2008 at 11:38 AM, Robert Cummings <robert@xxxxxxxxxxxxx> wrote:
>
>
> On Wed, 2008-05-14 at 11:18 -0400, Eric Butera wrote:
> > On Tue, May 13, 2008 at 4:07 AM, James Dempster <letssurf@xxxxxxxxx> wrote:
> > > http://htmlpurifier.org/
> > >
> > > --
> > > /James
> > >
> >
> > This is the only real solution.
>
> That depends... if I'm the webmaster and I want to input arbitrary HTML,
> then htmlpurifier is unnecessary.
>
>
>
> Cheers,
> Rob.
> --
> http://www.interjinn.com
> Application and Templating Framework for PHP
>
>
OP said "users." Strip tags doesn't bother with tag attributes so
that is a security hole. Any regex type solution will encounter the
same set of issues.
Htmlpurifier actually strips down and re-builds your html from the
ground against a nice whitelist filtering system that you can
customize to your needs. No nasty tags/attributes will get through
unless you want them to.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
Regards,
Wang Yi
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Yes, this raw string can't be stripped by strip_tags. But actually, how
the string take xss? The string has been urldecoded before we use it.
for example:
assuming url is
test.php?test_string=%3C%68%31%3E%68%65%6C%6C%6F%20%77%6F%72%6C%64%3C%2F%68%31%3E
<?php
var_dump( strip_tags( $_GET[ 'test_string' ] ) );
?>
should be produce "string(11) "hello world"".
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
