What sense of the [allowable_tags] parameter in strip_tags()?
According docs, "You can use the optional second parameter to specify
tags which should not be stripped".
Ok. Suppose, I have a PHP-guestbook and use strip_tags() to filter all
tags, excepting <b>,<i>,<u> in users' messages. Then a "cool-hacker"
enters the following string in my guestbook:
<b style="position:absolute;top:0px;left:0px;font-size:10em"
onmouseover="alert("you have been fu*ked!")">
THE MATRIX HAS YOU :)
</b>
I see following decisions of the problem:
1) strip ALL tags by hands. The current version of function strip_tags()
cannot be used for this operation. See below explanation
2) use "pseudotags" like BBCode in PHPbb
3) do not strip any tags, but perform htmlspecialchars() before output
4) write new strip_tags(), which must strip all tags and cut ANY chars
after allowable tags. In the example above it must leave:
<b>
THE MATRIX HAS YOU :)
</b>
Propose any other way if you know it.
What way is better? The last one on my opinion.
And now I'll show some examples, which will explain the wrong behavior
of the current version of strip_tags():
1) <b onclick="if (1 > 2) alert('WOW!')">the bold string</b>
2) <b onclick="if (1 < 2) alert('YES!')">the hidden string</b>
3) <!-- <<< the cool comment <<< -->any HTML after the HTML-comment
will be stripped.
4) <?='?>'?>test
the list coud be continued...
--
Using Opera's revolutionary e-mail client: http://www.opera.com/m2/
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
