PDA

View Full Version : Xss



blm126
09-24-2006, 06:49 PM
I am working on a small comments feature for a site I'm developing. Right now it does absolutely no checks on the input. That is just plain stupid. I know I can use strip_tags to remove HTML, but I would like to allow the user a couple of HTML tags(b,strong,em,i,ul,ol,li,a,you get the idea). So my question is how can I go about removing the attributes of these tags to prevent XSS?

djr33
09-24-2006, 09:51 PM
Well, you could use a search and replace to find any html tags, using wildcards with preg_replace, though I really don't understand how that works.
And, just check if it's an allowed tag.
Or, you could do it the longer way without using preg_replace and search for < or > and check what's in the middle.

The other option is using markup codes, like on this board. I'm coding some myself, and it's not that complex. However, verifying things like if there's a closing tag is a bit annnoying.

blm126
09-24-2006, 10:33 PM
you mean BBcode? I wrote a bbcode parser a long time ago that worked pretty well but I would prefer to allow HTML. If you are trying to code a bbcode parser it is probably bes done with preg_replace/str_replace.

Twey
09-24-2006, 10:52 PM
Use preg_replace() to "whitelist" tags, call htmlentities() on the data, then replace the whitelisted tag strings with their respective angular brackets.