On Sun, 2010-03-14 at 12:25 +0100, Rene Veerman wrote: > On Sun, Mar 14, 2010 at 12:24 PM, Rene Veerman <rene7705@xxxxxxxxx> wrote: > > > > I'd love to have a copy of whatever function you use to filter out bad > > HTML/js/flash for use cases where users are allowed to enter html. > > I'm aware of strip_tags() "allowed tags" param, but haven't got a good list > > for it. > > > > oh, and even <img> tags can be used for cookie-stuffing on many browsers.. > Yes, and you call strip_tags() before the data goes to the browser for display, not before it gets inserted into the database. Essentially, you need to keep as much original information as possible. Thanks, Ash http://www.ashleysheridan.co.uk