|
|
Posted by simon on 05/25/05 09:43
> simon wrote:
>>
>> I have a text area where the user can enter html comments.
>> But that doesn't mean that I trust them ;)
>
> Use strip_tags() function and specify a safe subset of tags to be
> retained in the user input:
>
> http://www.php.net/strip_tags
>
That's not ideal really, we all agree that almost every tag in html is safe,
it is more the elements of the tags that are not safe.
I need to prevent all the onsubmit(...), onmouseover(...) etc... as well as
a few others.
My main problem is that I am not sure what the 'few others' are. for example
can the user inject malicious code in the style="..."?
Or is css only client side?
I am trying to write a class to list all the tags and elements and only
allow some of them.
I don't think there is one available to only remove what is not pre-approved
as opposed to blindly removing everything.
> Also, you might consider using a JavaScript-based HTML editor
> without the option of viewing and editing HTML source; this would
> allow your users to author safe HTML.
as above, it either removes a whole tag or leaves a whole tag. Not ideal
IMHO.
>
> Cheers,
> NC
Simon
Navigation:
[Reply to this message]
|