In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Jason Murray) wrote:
> > I want to ban javascript from my site (users can edit some things). I > > know how to ban it in <script> tags, but does anyone have a function > > that bans javascript in ALL of the ways of puting it on? It would > > take me a while to figure them all out. > Use strip_tags and only allow basic HTML (basic HTML can be anything > but I'd make it <B><I><U><DIV><SPAN><STYLE><TABLE><TR><TD>) through. > > This will strip all <SCRIPT> tags. Just stripping down to a few essential tags isn't sufficient; Javascript can still be fired from any of the remaining tags' standard event handlers: onclick, ondblclic, onmousedown, onmouseup, onmouseover, onmousemove, onmouseout, onkeypress, onkeydown, onkeyup... So you'd also have to strip all event handlers from each tag. Then there's the "javascript: " pseudo-protocol; so you'd also have to check the href value of all anchor tags to make sure they're not not invoking javascript. And since users can edit some/all of the html, then what's to stop them from using a frame, server-side includes, etc. to incorporate some else's JS-using page into your site? OTOH, banning users from any direct editing and running all of their submitted content through htmlentities() before serving it up is a pretty quick and easy solution. -- CC -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
