On 20 May 2010 14:53, Al <n...@ridersite.org> wrote:
> I have a password-protected, user, on-line editor that I'm hardening against
> hackers just in case a user's pw is stolen or local PC is infected.
> The user can enter html tags; but, I restrict the acceptable tags to benign
> ones. e.g., <p>, <b>, <table>, etc.  e.g., no <embed... <script... etc.
> Just to be extra safe, I've added a function that parses for executables in
> the raw, entered text. If found, I post and nasty error message and ignore
> the entry altogether.
> Here are my regex patterns. I tried finding a complete list of browser
> executables; but was unsuccessful, probably because I didn't use the right
> key words.
> Anyone have suggestions for additional patterns?
> $securityPatternsArray=array(
> "\<script\x20",
> "\<embed\x20",
> "\<object\x20",
> 'language="javascript"',
> 'type="text/javascript"',
> 'language="vbscript\"',
> 'type="text/vbscript"',
> 'language="vbscript"',
> 'type="text/tcl"',
> "error_reporting\(0\)",//Most hacks I've seen make certain they turn of
> error reporting
> "\<?php",//Here for the heck of it.
> );

Rolling your own when it comes to this is a very bad idea: chances are
you'll miss something even if asking a list like this. Much better to
use an existing tool like htmlpurifier.


WWW: http://plphp.dk / http://plind.dk
LinkedIn: http://www.linkedin.com/in/plind
Flickr: http://www.flickr.com/photos/fake51
BeWelcome: Fake51
Couchsurfing: Fake51

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to