on 21/11/02 2:25 AM, David Russell ([EMAIL PROTECTED]) wrote: > strip_tags($_POST['Duplicate'], '<B> <I> <P> <A> <LI> <OL> <UL> <EM> > <BR> <TT> <STRONG> <BLOCKQUOTE> <DIV> <ECODE> '); > > OK, so this is cool. I got this list from the Slashdot allowed tags > list, which I would assume is ok.
Whoa there... NEVER assume because someone else does something that it's "okay" or "safe". According to your above checks, I'm allowed to do this: <B onmouseover="window.close();">something evil</b> Strip tags does not make a post safe at all... *safer* maybe, but no where near safe. Really, what's needed is another version of strip tags which allows you to specify allowed attributes per tag: strip_tags_attr($string, '<B> <P class id style> <A href title> <BR>') But even that wouldn't prevent people from sneaking javascript (OR OTHER CLIENT SIDE SCRIPTING) into the href attribute. But, I haven't got enough brains to actually write the extension for PHP, so hopefully someone else will pick it up eventually. In the meantime, the only solution I can think of is to not allow <b>tags</b>... perhaps allow some other form of [i]tag[/i] tag system which doesn't allow any attributes. Then you can simply strip all tags, and then go onto replacing [b] with <b>, etc etc. It's a lot of work, and you will run into even more work when you choose to allow [a href=""] or other attributes, but it IS safer. Or, perhaps it's "cheaper" for you to do some preliminary stripping of tags as per your code above, and then have a moderator physically check over the code for hidden "evil". Justin French -------------------- http://Indent.com.au Web Developent & Graphic Design -------------------- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
