On Wed, May 14, 2008 at 10:56 PM, Yi Wang <wangyi6854@xxxxxxxxx> wrote: > Can anyone provide some code that can't be stripped by strip_tags? > > > On 5/15/08, Eric Butera <eric.butera@xxxxxxxxx> wrote: >> On Wed, May 14, 2008 at 11:38 AM, Robert Cummings <robert@xxxxxxxxxxxxx> wrote: >> > >> > >> > On Wed, 2008-05-14 at 11:18 -0400, Eric Butera wrote: >> > > On Tue, May 13, 2008 at 4:07 AM, James Dempster <letssurf@xxxxxxxxx> wrote: >> > > > http://htmlpurifier.org/ >> > > > >> > > > -- >> > > > /James >> > > > >> > > >> > > This is the only real solution. >> > >> > That depends... if I'm the webmaster and I want to input arbitrary HTML, >> > then htmlpurifier is unnecessary. >> > >> > >> > >> > Cheers, >> > Rob. >> > -- >> > http://www.interjinn.com >> > Application and Templating Framework for PHP >> > >> > >> >> >> OP said "users." Strip tags doesn't bother with tag attributes so >> that is a security hole. Any regex type solution will encounter the >> same set of issues. >> >> Htmlpurifier actually strips down and re-builds your html from the >> ground against a nice whitelist filtering system that you can >> customize to your needs. No nasty tags/attributes will get through >> unless you want them to. >> >> >> -- >> PHP General Mailing List (http://www.php.net/) >> To unsubscribe, visit: http://www.php.net/unsub.php >> >> > > > -- > Regards, > Wang Yi > I meant if you used the allow tags parameter. If you allow say the <b> tag, then you could say <b key="value"> and it would pass right through. <?php $str = "<b>hi</b><b onMouseOver='alert(/xss/);'>xss</b>"; echo "raw:\n"; var_dump($str); echo "strip tags:\n"; var_dump(strip_tags($str)); echo "allow b:\n"; var_dump(strip_tags($str, '<b>')); ?> raw: string '<b>hi</b><b onMouseOver='alert(/xss/);'>xss</b>' (length=47) strip tags: string 'hixss' (length=5) allow b: string '<b>hi</b><b onMouseOver='alert(/xss/);'>xss</b>' (length=47) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
