Hi all, Further to a discussion we had yesterday about the danger of onLoad, onMouseOver, etc etc of allowed tags when using strip_tags(), I've decided to look at the issue from another angle.
For the limited set of tags I usually allow on user input, <B><I><U>, I'm going take the approach of deleting anything I don't specifically TRUST, rather than deleting things I don't trust. For such simple tags, It seems to me to be a smarter move to delete anything in the tag apart from the actual tag. <B"anything else"> becomes <B> This eliminates the danger of people putting anything evil like onmouseover="javascript:self.close();" into my small set of allowed tags. So, I'd like a regexp which looks for multiple occurences of a tag (let's take <B> for an example), and throw out anything not needed. In English, I guess it looks like: look for a "<" followed by a "b" (case insensitive), then throw away anything up to the first ">" we find. Better still would be a regexp or function that checks for b|i|u, or a passed set of tags. I'm aware that this type of hard-line approach will prevent <B id="foo">, and I will also have problems on things like <FONT face="something"> and <A HREF="foo.php">, but I plan to devise some psuedo tags for links, and don't require font tags, image tags, etc etc. Many thanks in advance, Justin French -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
