On 20 May 2010 14:53, Al <news@xxxxxxxxxxxxx> wrote: > I have a password-protected, user, on-line editor that I'm hardening against > hackers just in case a user's pw is stolen or local PC is infected. > > The user can enter html tags; but, I restrict the acceptable tags to benign > ones. e.g., <p>, <b>, <table>, etc. e.g., no <embed... <script... etc. > > Just to be extra safe, I've added a function that parses for executables in > the raw, entered text. If found, I post and nasty error message and ignore > the entry altogether. > > Here are my regex patterns. I tried finding a complete list of browser > executables; but was unsuccessful, probably because I didn't use the right > key words. > > Anyone have suggestions for additional patterns? > > $securityPatternsArray=array( > "\<script\x20", > "\<embed\x20", > "\<object\x20", > 'language="javascript"', > 'type="text/javascript"', > 'language="vbscript\"', > 'type="text/vbscript"', > 'language="vbscript"', > 'type="text/tcl"', > "error_reporting\(0\)",//Most hacks I've seen make certain they turn of > error reporting > "\<?php",//Here for the heck of it. > ); > Rolling your own when it comes to this is a very bad idea: chances are you'll miss something even if asking a list like this. Much better to use an existing tool like htmlpurifier. Regards Peter -- <hype> WWW: http://plphp.dk / http://plind.dk LinkedIn: http://www.linkedin.com/in/plind Flickr: http://www.flickr.com/photos/fake51 BeWelcome: Fake51 Couchsurfing: Fake51 </hype> -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
