on 20/09/02 1:14 PM, John Holmes ([EMAIL PROTECTED]) wrote:

> I hope not. That would be a worthless function to have. Did you read my
> post? The basic idea is validation is to allow what you _know_ is good,
> and kill the rest. You don't kill a couple things you know are bad, then
> assume the rest is good and let it in.

I'm with John on this one for sure... To pretend you know every possible
"bad" thing that can happen is plain stoopid.  Develop a list of things you
accept (commonly <p><b><i><br>), and turf the rest.

What I WOULD like to see in a future PHP release is a strip attributes
feature.  Not sure of how to implement it, but even if you only let a few
tags through, there are still BIG problems with the tags:

<B onclick="javascript: window.close()"> (not sure of the exact syntax) is
pretty evil.

Perhaps if strip tags could be extended so that you can list ALLOWED

$string = striptags2('<P class id style><B><I><BR><A href target>', $string)

Essentially, this would kill off any one doing an onclick/onmouseover/etc on
the allowed tags

This still leaves a few problems, the biggest of which is
href="javascript:..." in <a> tags.

A further extension might be to list the allowed protocols of href??  There
could be an allowance for http, ftp, ext (external), rel (relative links),
javascript, and others I'm not thinking about.

striptags2('<b><A href[rel] target>', $string)
would only allow relative links

striptags2('<b><A href[http|ftp|rel] target>', $string)
would only allow relative, http and ftp links... NOT javascript for example

This would make striptags() a HIGHLY powerful tool for validating user input
which contains HTML.  yes, it can all be done with regexp if you've got
enough time and skills, but I don't :)

Sorry for getting off topic!!


Justin French

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to