|
|
Posted by simon on 05/25/05 21:20
> Check out strip_tags():
>
> http://www.php.net/strip_tags
>
> I will allow you to strip out HTML tags, and even specify which tags
> you want to keep (i.e. <b>, <i>, <br>, etc.). It won't allow you to
> strip just external links, but it's a good start.
That's not ideal really, we all agree that almost every tag in html is safe,
it is more the elements in the tags that are not safe.
I need to prevent all the onsubmit(...), onmouseover(...) etc... as well as
a few others.
My main problem is that I am not sure what the 'few others' are. for example
can the user inject malicious code in the style="..."?
Or is css only client side?
I am trying to write a class to list all the tags and elements and only
allow some of them.
I don't think there is one available to only remove what is not pre-approved
as opposed to blindly removing everything.
Simon
Navigation:
[Reply to this message]
|