ID: 15972 Updated by: [EMAIL PROTECTED] -Summary: strip_tags allows javascript Reported By: [EMAIL PROTECTED] Status: Open Bug Type: Feature/Change Request Operating System: Linux PHP Version: 4.0.6 New Comment:
rewrote the summary. it would be nice if the syntax were something like: strip_tags($text, "a[href,target],br,p") Previous Comments: ------------------------------------------------------------------------ [2002-03-09 12:08:43] [EMAIL PROTECTED] Oops - that should be ...javascript:document... ------------------------------------------------------------------------ [2002-03-09 11:56:50] [EMAIL PROTECTED] The html strip_tags() function permits any attributes. This gives a security hole. Eg allowing <b> also permits: <b onclick="javascript.document.location='http://www.evil.com';"> That's not so nice ! Context: I run a website in which I want to allow (untrusted) users to post messages formatted with a very limited subset of html. I don't want them to be able to do anything nasty. I am aware that this may not really be a bug per se, and might be better as a new string function ('vanilla_tags'). But it could bite the unwary. Thanks a lot Richard ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=15972&edit=1
