-
Xss
I am working on a small comments feature for a site I'm developing. Right now it does absolutely no checks on the input. That is just plain stupid. I know I can use strip_tags to remove HTML, but I would like to allow the user a couple of HTML tags(b,strong,em,i,ul,ol,li,a,you get the idea). So my question is how can I go about removing the attributes of these tags to prevent XSS?
Last edited by blm126; 09-24-2006 at 07:09 PM.
-
-
Well, you could use a search and replace to find any html tags, using wildcards with preg_replace, though I really don't understand how that works.
And, just check if it's an allowed tag.
Or, you could do it the longer way without using preg_replace and search for < or > and check what's in the middle.
The other option is using markup codes, like on this board. I'm coding some myself, and it's not that complex. However, verifying things like if there's a closing tag is a bit annnoying.
Daniel -
Freelance Web Design | <?php?> | <html>| español | Deutsch | italiano | português | català | un peu de français | some knowledge of several other languages: I can sometimes help translate here on DD | Linguistics Forum
-
-
you mean BBcode? I wrote a bbcode parser a long time ago that worked pretty well but I would prefer to allow HTML. If you are trying to code a bbcode parser it is probably bes done with preg_replace/str_replace.
-
-
Use preg_replace() to "whitelist" tags, call htmlentities() on the data, then replace the whitelisted tag strings with their respective angular brackets.
-
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
Senior Coders
Reply With Quote
Bookmarks