--- Lawrence Kennon <[EMAIL PROTECTED]> wrote:
> For a BBS I would like to let users post links to various resources.
> They 'post' a message to the BBS via a form and that is stored in a
> MySQL db, then the content of their 'post' is available to other users
> on the BBS. Currently I strip out all PHP/HTML with the strip_tags()
> function. What I would really like to do is allow a limited set of HTML
> tags (like the anchor <a> tag) but at the same time implement reasonable
> protection.
I prefer htmlentities() to strip_tags() in cases like this, because by
stripping tags, you eliminate the chance that your users can talk about
code. If you use htmlentities() instead, their code will appear exactly as
they typed it. You may not want this, but I thought I'd mention it.
> In regards specifically to the HTML anchor tag <a>, are their guidelines
> for what should, and should not be allowed?
Any tag like anchor is more difficult to deal with, because you have
attributes whose values can be anything. For something like a bold tag, on
the other hand, you can simply replace <b> with <b> and do the same
for the closing tag.
With tags like anchor, you want to determine two things:
1. Which attributes you want to allow, stripping all others (or the entire
anchor tag if this rule is broken). For example, you may want to begin by
only allowing href.
2. What the acceptable format is of each of the attributes you allow. For
example, with the href attribute, you probably want to only allow valid
URLs. If you allow anything, someone might be able to use some client-side
scripting trickery to do something you did not intend. It's better to be
safe.
I don't have any sample code to give you, but maybe someone else can pitch
in.
Hope that helps.
Chris
=====
My Blog
http://shiflett.org/
HTTP Developer's Handbook
http://httphandbook.org/
RAMP Training Courses
http://www.nyphp.org/ramp
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
