well, you could replace all script tags with this regex:

$string = preg_replace("/<\/?SCRIPT.*?>/is", "", $string);

But, if you're converting all < and > to their html equivelants (which you
should be) using something like htmlspecialchars or your own regex, you
shouldn't even need to do that.  You might also want to think about
strip_tags(), though again, I prefer just to convert the characters and not
worry about it.

as for your links, I'd rethink the user input and use something like
[a=www.microsoft.com]Click[/a] ;>

// quick and dirty regex
$string = preg_replace("/\[a=(.+?)\](.*?)\[\/a\]/is", "<a href=\"\\1\"
target=\"_blank\">\\2</a>", $string);


"Trongduc" <[EMAIL PROTECTED]> wrote in message
> hi,
> can anyone help me this ?
> 1)
> I made a simple forum, and it will allow the users to send their messages
> HTML format.
> But I worried about the security of my website, so I removed all of the
> "<SCRIPT" tags in their messages by placing "</SCRIPT" instead.
> (Because the users maybe use <SCRIPT language="JavaScript">, so I cannot
> replace "<SCRIPT>" exactly)
> Is it the best solution to protect my pages from malicious code ? (is it
> secure for my pages ?)
> Are there other ways that someone can use malicious codes in their
> without <SCRIPT> ?
> 2)
> In the case I do not allow the users send messages in HTML codes, I
> (similar with phpBB code) :
> [a]=>"<a href="
> [/a]=>">"
> [//a]=>"</a>"
> example the content of message is :
> [a]www.microsoft.com[/a]Click here...[//a]
> ...will place a link to Microsoft.com, but the problems will happen when
> users use only [a], or [/a], not use [//a] to close the link. Can anyone
> help me to fix this problem ? (is there another way to do this more simple
> ?)
> thanks very much...

PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to