On Thu, 2007-02-08 at 15:32 -0700, Don wrote:
> > I asked this question awhile ago and never really visited the issue till
> > now. The response I got showed me how to disable everything, but I want to
> > allow basic html tags.
>
>
> http://us3.php.net/strip_tags
>
> You can use the optional second parameter to specify tags which should not
> be stripped.
>
> HTH,
>
> Brad
>
>
> I ended up using strip_tags (thanks Brad)
>
> But to disable other ways of getting javascript to run I also included
> this....
>
> $pattern =
> array('/(javascript)/','/([jJ(j)][aA(a)][vV(v)][aA(a)][sS(
> 5)][cC(c)][rR(r)][iI(i)][pP(p)][tT(t)])/','/(\.[jJ(j)
> ][sS(s)])/','/([xX][sS(s)][sS(s)])/','/([xX][mM][lL])/');
>
> $candidateNewBio = preg_replace($pattern, '', $candidateNewBio);
>
> Is this worthwhile or a waste of time, because it seems to really protect
> your site, you need have a contingency for every possible attack.... And I
> don't even know how some of this stuff is even working with my level of
> understanding
Like a previous poster said... you need to be smarter than that. Markup
the entire document via htmlspecialchars() then replace basic tags with
real tags. So...
<?php
$safe = htmlspecialchars( $content );
$safe = str_replace( '<b>', '<b>', $safe );
?>
Better yet, switch to something like BBCode. Why you ask... because
let's say you do the following:
<?php
$safe = strip_tags( $content, '<b>' );
?>
All Joe Hacker needs to do is submit the following:
-----
This is tricky <b onmouseover="document.location = 'www.mypr0n.com';">
-----
This line of attack is clearly warned about in the documentation for
strip_tags().
Cheers,
Rob.
--
.------------------------------------------------------------.
| InterJinn Application Framework - http://www.interjinn.com |
:------------------------------------------------------------:
| An application and templating framework for PHP. Boasting |
| a powerful, scalable system for accessing system services |
| such as forms, properties, sessions, and caches. InterJinn |
| also provides an extremely flexible architecture for |
| creating re-usable components quickly and easily. |
`------------------------------------------------------------'
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
