In article <[EMAIL PROTECTED]>,
 [EMAIL PROTECTED] (Jason Murray) wrote:

> > I want to ban javascript from my site (users can edit some things).  I 
> > know how to ban it in <script> tags, but does anyone have a function 
> > that bans javascript in ALL of the ways of puting it on?  It would 
> > take me a while to figure them all out. 

> Use strip_tags and only allow basic HTML (basic HTML can be anything
> but I'd make it <B><I><U><DIV><SPAN><STYLE><TABLE><TR><TD>) through.
> This will strip all <SCRIPT> tags.

Just stripping down to a few essential tags isn't sufficient; Javascript 
can still be fired from any of the remaining tags' standard event handlers: 
onclick, ondblclic, onmousedown, onmouseup,  onmouseover, onmousemove, 
onmouseout, onkeypress, onkeydown, onkeyup...  So you'd also have to strip 
all event handlers from each tag.

Then there's the "javascript: " pseudo-protocol; so you'd also have to 
check the href value of all anchor tags to make sure they're not not 
invoking javascript.

And since users can edit some/all of the html, then what's to stop them 
from using a frame, server-side includes, etc. to incorporate some else's 
JS-using page into your site? 

OTOH, banning users from any direct editing and running all of their 
submitted content through htmlentities() before serving it up is a pretty 
quick and easy solution.


PHP General Mailing List (
To unsubscribe, visit:

Reply via email to