From: "Wouter van Vliet" <[EMAIL PROTECTED]>
> Let's make this personal: what would be your answer if I would advice the
> friendly person to do this:
Heh.. I hope you're just kidding about "making it personal"... I was just
presenting security problems with various solutions.
> <?php
> (..) $Content holds the string that you would want to be safe
>
> # Create an array with allowed tags
> $Allowed = Array('b', 'u', 'i', 'grin', 'foo');
>
> # Compose var to send to strip_tags
> $AllowedTags = '';
> foreach($Allowed as $Tag) $AllowedTags .= '<'.$Tag.'>';
>
> # Strip tags
> $Content = strip_tags($Content, $AllowedTags);
>
> # Make tags SAFE
> $Content = preg_replace('/<('.join($Allowed, '|').')([^>]+)>/', '<$1>',
> $Content);
> ?>
I didn't actually try that, but I'm sure it's fine. I seems to remove any
extra data in the tags you want to allow. It's good that you're still
stopping me from entering such devious and sinister code such as <(.) (.)>
and <bar>...
My point here is that I absolutely loath the strip_tags() function and think
it should be banished to the 12th circle of hell, meaning mainly ASP or JSP.
I can think of no valid reason where anyone would require that function.
In any program, if I enter the string "<foo>", then I expect to either 1)
Receive an error or 2) See _exactly_ that string on any web page, email,
etc, showing my string. I do not want your program (speaking in general
terms here) to remove something from my string because it assumes it could
possibly be something bad.
I'm against letting users enter HTML in their data, also. I'd rather emply a
bbcode type solution, turning [b] into <b>, etc. This way, YOU set the rules
and say the user can do these _5_ things in this exact syntax. Otherwise
you're held at the mercy of the HTML and browser specs and hoping that even
just allowing <b> in the future won't have any security issues. When _you_
set the rules, you win.
So, my suggestions:
1. Just run everything through htmlentities(). If the users require advanced
formatting, provide a bbcode solution.
2. If you just _have to_ let users use HTML like <b> and <i>, then I'd use a
solution similar to what you have above, but drop the strip_tags.
$allowed_tags = array('b','i');
$safe_data = htmlentities($unsafe_data,ENT_QUOTES);
foreach($allowed_tags as $tag)
{ $formatted_data = preg_replace('/<' . $tag . '>(.*)<\/' . $tag .
'>/Ui',"<$tag>$1</$tag>",$safe_data); }
Untested of course, but the only point that someone should take away is that
you should set the rules...
---John Holmes...
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
