--- Lawrence Kennon <[EMAIL PROTECTED]> wrote: > For a BBS I would like to let users post links to various resources. > They 'post' a message to the BBS via a form and that is stored in a > MySQL db, then the content of their 'post' is available to other users > on the BBS. Currently I strip out all PHP/HTML with the strip_tags() > function. What I would really like to do is allow a limited set of HTML > tags (like the anchor <a> tag) but at the same time implement reasonable > protection.
I prefer htmlentities() to strip_tags() in cases like this, because by stripping tags, you eliminate the chance that your users can talk about code. If you use htmlentities() instead, their code will appear exactly as they typed it. You may not want this, but I thought I'd mention it. > In regards specifically to the HTML anchor tag <a>, are their guidelines > for what should, and should not be allowed? Any tag like anchor is more difficult to deal with, because you have attributes whose values can be anything. For something like a bold tag, on the other hand, you can simply replace <b> with <b> and do the same for the closing tag. With tags like anchor, you want to determine two things: 1. Which attributes you want to allow, stripping all others (or the entire anchor tag if this rule is broken). For example, you may want to begin by only allowing href. 2. What the acceptable format is of each of the attributes you allow. For example, with the href attribute, you probably want to only allow valid URLs. If you allow anything, someone might be able to use some client-side scripting trickery to do something you did not intend. It's better to be safe. I don't have any sample code to give you, but maybe someone else can pitch in. Hope that helps. Chris ===== My Blog http://shiflett.org/ HTTP Developer's Handbook http://httphandbook.org/ RAMP Training Courses http://www.nyphp.org/ramp -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php