11 replies to this topic

[Friiks]

Hi, I've been searching this for a while but I haven't got any luck so I'm asking there. Could someone explain me and possibly give me a code to disallow harmful tags and allow un-harmful html tags as well as limit css tags (like disallow visibility:hidden, etc.).
That would be very nice to know...

Thanks, Matt.

Edit: I actually had a typo in the title of topic :|

Edited by Friiks, 06 February 2007 - 01:14 PM.

[Av-]

Check out strip tags

strip_tags ( string str [, string allowable_tags] )

[bay]

strip_tags will work for your HTML needs. As for your CSS worries, there's no PHP function to do this for you - as to my knowledge - so i recommend just preg_match'ing everything you need. for example you can use an array

$notAllowed = array
(
'visibility'
);

and then loop through them:

foreach ( $notAllowed as $property )
{
preg_match ( "/$property:(.*?);/"asgasg
}

[Demonslay]

Using preg_match() would not be practical, since he is wanting to filter it all out.
If he were to even bother with preg, he should use preg_replace(), as it allows for the use of arrays so there would be no use for using a foreach loop.

[Friiks]

Hmm...I read about strip_tags() but I'm not really sure how to use it ..
Usually I use it like this strip_tags($message) so it get's the tags out of the message. Someone told me to do it before inputing data into database and I am since then. Do I have to use it like

strip_tags($message, '<span>,<p>,<font>,<b>,<s>')

this, where tags after the comma are tags which are allowed.. ?

[Demonslay]

It's never in the documentation, and is something I wish were.

To include more than one tag as allowable, you just put them in like this, without the comma.

strip_tags($message, '<span><p><font><b><s>');

And apparently you should read up on the comments of strip_tags() and grab someone's function for also removing script and style tags, as apparently strip_tags() doesn't do it.

[Friiks]

Thanks ,Demonslay

[nitr0x]

Here is an example from the comments on the strip_tags manual.

<?php
function html2txt($document){
$search = array('@<script[^>]*?>.*?</script>@si',  // Strip out javascript
			   '@<style[^>]*?>.*?</style>@siU',	// Strip style tags properly
			   '@<[\/\!]*?[^<>]*?>@si',			// Strip out HTML tags
			   '@<![\s\S]*?--[ \t\n\r]*>@'		// Strip multi-line comments including CDATA
);
$text = preg_replace($search, '', $document);
return $text;
}
?>

This will strip out all javascript, style, HTML and comments (Such as <!-- -->)

You could use the HTML bit to your advantage.

[bay]

Demonslay, on Feb 6 2007, 09:47 PM, said:

Using preg_match() would not be practical, since he is wanting to filter it all out.
If he were to even bother with preg, he should use preg_replace(), as it allows for the use of arrays so there would be no use for using a foreach loop.

You can either replace it, but i thought it would be more logical to just refuse to continue with the CSS script and just tell the user that his code is invalid and that he should edit it before trying again.

[Friiks]

Hmm...My code isn't working although I think I did everything right..

$message=mysql_real_escape_string(htmlspecialchars($_POST['message']));
$message=strip_tags($message,'<b><i><s><a><hr><img><ul><ol><li>');

Thats the code...and it outputs it like &lt; and stuff. It's the htmlspecialchars tag but I don't want to remove it. If there's no other way won't my site become more insecure ?

[Demonslay]

You know it makes no sense to use htmlspecialchars() then strip_tags(). All that does is transform all '<' into &gt; etc, then tries to eliminate tags...

You should only really have to use mysql_real_escape_string() and strip_tags() if you mean to secure your data while allowing those certain HTML tags to your users.

[Friiks]

Thanks

I wasn't sure..and yeah, have been using them together all the time. Thanks, now I'll know