Once you open up ANY HTML tag to the public you open a huge can of worms and
trouble, like the following for example
<a href="http://php.net" onmousemove="javascript:alert('Blar Blar
Blar');">Click me!</a>
My javascript is not great (I could not think of anything more damaging) but
its pretty clear what the possibilities are.
Strip all tags and use a custom system is my advice
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: Monday, 16 July 1979 3:59 PM
> To: Ray Dow; [EMAIL PROTECTED]
> Subject: Re: [PHP] RE: html in my form? bad things! help help help!
>
>
> on 7/16/01 2:03 AM, Ray Dow at [EMAIL PROTECTED] wrote:
>
> > Everything removed by strip_tags(), including <a
> href="somelink>click
> > me</a> (you original example)
> >
> > See the problem?
>
> Everything isn't removed if you set it up like this:
>
>
> strip_tags($string,"<a>,<i>,<b>")
>
>
> that part is working fine, it's tags with missing quotes that
> have me worried, like this:
>
> <a href="http://www.someplace.com>My site!</a>
>
>
>
> --
> [EMAIL PROTECTED]
> http://futurebird.diaryland.com
>
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]