Re: Good HTML parser needed

Yi Wang <wangyi6854@xxxxxxxxx> · Fri, 16 May 2008 09:07:59 +0800

On 5/15/08, Eric Butera <eric.butera@xxxxxxxxx> wrote:
> On Wed, May 14, 2008 at 10:56 PM, Yi Wang <wangyi6854@xxxxxxxxx> wrote:
>  > Can anyone provide some code that can't be stripped by strip_tags?
>  >
>  >
>  > On 5/15/08, Eric Butera <eric.butera@xxxxxxxxx> wrote:
>  >> On Wed, May 14, 2008 at 11:38 AM, Robert Cummings 
<robert@xxxxxxxxxxxxx> wrote:
>  >>  >
>  >>  >
>  >>  >  On Wed, 2008-05-14 at 11:18 -0400, Eric Butera wrote:
>  >>  >  > On Tue, May 13, 2008 at 4:07 AM, James Dempster 
<letssurf@xxxxxxxxx> wrote:
>  >>  >  > > http://htmlpurifier.org/
>  >>  >  > >
>  >>  >  > >  --
>  >>  >  > >  /James
>  >>  >  > >
>  >>  >  >
>  >>  >  > This is the only real solution.
>  >>  >
>  >>  >  That depends... if I'm the webmaster and I want to input 
arbitrary HTML,
>  >>  >  then htmlpurifier is unnecessary.
>  >>  >
>  >>  >
>  >>  >
>  >>  >  Cheers,
>  >>  >  Rob.
>  >>  >  --
>  >>  >  http://www.interjinn.com
>  >>  >  Application and Templating Framework for PHP
>  >>  >
>  >>  >
>  >>
>  >>
>  >> OP said "users."  Strip tags doesn't bother with tag attributes so
>  >>  that is a security hole.  Any regex type solution will encounter the
>  >>  same set of issues.
>  >>
>  >>  Htmlpurifier actually strips down and re-builds your html from the
>  >>  ground against a nice whitelist filtering system that you can
>  >>  customize to your needs.  No nasty tags/attributes will get through
>  >>  unless you want them to.
>  >>
>  >>
>  >>  --
>  >>  PHP General Mailing List (http://www.php.net/)
>  >>  To unsubscribe, visit: http://www.php.net/unsub.php
>  >>
>  >>
>  >
>  >
>  > --
>  > Regards,
>  > Wang Yi
>  >
>
>
> I meant if you used the allow tags parameter.  If you allow say the
>  <b> tag, then you could say <b key="value"> and it would pass right
>  through.
>
>  <?php
>
>  $str = "<b>hi</b><b onMouseOver='alert(/xss/);'>xss</b>";
>
>  echo "raw:\n";
>  var_dump($str);
>
>  echo "strip tags:\n";
>  var_dump(strip_tags($str));
>
>  echo "allow b:\n";
>  var_dump(strip_tags($str, '<b>'));
>  ?>
>
>  raw:
>  string '<b>hi</b><b onMouseOver='alert(/xss/);'>xss</b>' (length=47)
>  strip tags:
>  string 'hixss' (length=5)
>  allow b:
>  string '<b>hi</b><b onMouseOver='alert(/xss/);'>xss</b>' (length=47)
>

Yes, you are right. I always used to involved plain text.

Thanks!

--

cheers,
Yi Wang

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php