Further to a discussion we had yesterday about the danger of onLoad,
onMouseOver, etc etc of allowed tags when using strip_tags(), I've decided
to look at the issue from another angle.
For the limited set of tags I usually allow on user input, <B><I><U>, I'm
going take the approach of deleting anything I don't specifically TRUST,
rather than deleting things I don't trust.
For such simple tags, It seems to me to be a smarter move to delete anything
in the tag apart from the actual tag.
<B"anything else"> becomes <B>
This eliminates the danger of people putting anything evil like
So, I'd like a regexp which looks for multiple occurences of a tag (let's
take <B> for an example), and throw out anything not needed.
In English, I guess it looks like:
look for a "<" followed by a "b" (case insensitive), then throw away
anything up to the first ">" we find.
Better still would be a regexp or function that checks for b|i|u, or a
passed set of tags.
I'm aware that this type of hard-line approach will prevent <B id="foo">,
and I will also have problems on things like <FONT face="something"> and <A
HREF="foo.php">, but I plan to devise some psuedo tags for links, and don't
require font tags, image tags, etc etc.
Many thanks in advance,
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php