CPT John W. Holmes wrote:
> From: "Wouter van Vliet" <[EMAIL PROTECTED]>
>
>> Let's make this personal: what would be your answer if I would advice
>> the friendly person to do this:
>
> Heh.. I hope you're just kidding about "making it
> personal"... I was just presenting security problems with various
> solutions.
>
Yes, I was just kidding.
>> <?php
>> (..) $Content holds the string that you would want to be safe
>>
>> # Create an array with allowed tags
>> $Allowed = Array('b', 'u', 'i', 'grin', 'foo');
>>
>> # Compose var to send to strip_tags
>> $AllowedTags = '';
>> foreach($Allowed as $Tag) $AllowedTags .= '<'.$Tag.'>';
>>
>> # Strip tags
>> $Content = strip_tags($Content, $AllowedTags);
>>
>> # Make tags SAFE
>> $Content = preg_replace('/<('.join($Allowed, '|').')([^>]+)>/',
>> '<$1>', $Content); ?>
>
> I didn't actually try that, but I'm sure it's fine. I seems
> to remove any extra data in the tags you want to allow. It's
> good that you're still stopping me from entering such devious
> and sinister code such as <(.) (.)> and <bar>...
Neither did I try my own code. And yes, sinister code like <bar> and
probably <(.) (.)> wouldn't come through the strip_tags function. Though I'm
not sure about the second one. (nor the first one, but a little more)
>
> My point here is that I absolutely loath the strip_tags()
> function and think it should be banished to the 12th circle
> of hell, meaning mainly ASP or JSP.
> I can think of no valid reason where anyone would require that
> function.
I sometimes use it to allow certain HTML code to be entered in a form. For
example on a news site, where news editors are pretty familiar to HTML
without any desire to use a new markup language. PHP is a programming
language (as you no doubt know) designed and most used for web applications.
I think PHP would lose it's identity as such without direct HTML code
manipulating functions.
>
> In any program, if I enter the string "<foo>", then I expect
> to either 1) Receive an error or 2) See _exactly_ that string
> on any web page, email, etc, showing my string. I do not want
> your program (speaking in general terms here) to remove
> something from my string because it assumes it could possibly be
> something bad.
Agree.
>
> I'm against letting users enter HTML in their data, also. I'd
> rather emply a bbcode type solution, turning [b] into <b>,
> etc. This way, YOU set the rules and say the user can do
> these _5_ things in this exact syntax. Otherwise you're held
> at the mercy of the HTML and browser specs and hoping that
> even just allowing <b> in the future won't have any security
> issues. When _you_ set the rules, you win.
Usually agree for forum like applications. Not for HTML email sending
applications.
>
> So, my suggestions:
>
> 1. Just run everything through htmlentities(). If the users
> require advanced formatting, provide a bbcode solution.
>
> 2. If you just _have to_ let users use HTML like <b> and <i>,
> then I'd use a solution similar to what you have above, but drop the
> strip_tags.
>
> $allowed_tags = array('b','i');
>
> $safe_data = htmlentities($unsafe_data,ENT_QUOTES);
>
> foreach($allowed_tags as $tag)
> { $formatted_data = preg_replace('/<' . $tag .
> '>(.*)<\/' . $tag .
> '>/Ui',"<$tag>$1</$tag>",$safe_data); }
>
> Untested of course, but the only point that someone should
> take away is that you should set the rules...
Hmmmm ... Still considering a reply to that one ;)
>
> ---John Holmes...
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
