For a BBS I would like to let users post links to various resources. They 'post' a message to the BBS via a form and that is stored in a MySQL db, then the content of their 'post' is available to other users on the BBS. Currently I strip out all PHP/HTML with the strip_tags() function. What I would really like to do is allow a limited set of HTML tags (like the anchor <a> tag) but at the same time implement reasonable protection.
Get yourself a bbcode parser from phpclasses.org so you can use things like [b] [/b], and [url=] [/url], etc. This is safer than trying to deal with actual HTML, imo. Then use htmlentities() on the data instead of strip_tags(), so the users can actually write something like <grin> and not have it stripped.
In regards specifically to the HTML anchor tag <a>, are their guidelines for what should, and should not be allowed? In other words if I simply allow all of these tags (implementing the algorithim you mentioned above) are their potential problems with that? Or are there specific things I should be looking for with tags?
The problem is with deciding what attributes to allow in tags. If you use strip_tags() and decide to use the second parameter to allow <b> tags, I can write a <b onmouseover="..."> tag that'll execute some javascript for me. It's easy enough to stop that on a <b> tag, but what about an <img> or <a> tag where you have to allow certain attributes and you never know what order they'll be in? That's why a bbcode solution is the best, imo, and use htmlentities() on everything else.
-- ---John Holmes...
Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/
php|architect: The Magazine for PHP Professionals – www.phparch.com
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
