> For my website I created an updating system in php. Where my staff and I can
> write articles that then get saved to the server, linked to, etc. I allowed
> html to be passed from the form because a lot of the staff likes to use html
> tags in their articles. Which I know is a security issue.
> I know I could use HTMLSpecialChars() and then devise my own mark up system;
> which I will if I have no other alternative. But I was wondering if just
> searching the article string for "<?", "?>", "<script", etc and not writing
> the file if they're found would suffice. That almost seems too simple
> though.

You could also define a list of tags you allow and pass them to the
strip_tags() function.  See http://php.net/strip_tags


PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to