on 21/11/02 2:25 AM, David Russell ([EMAIL PROTECTED]) wrote:

> strip_tags($_POST['Duplicate'], '<B> <I> <P> <A> <LI> <OL> <UL> <EM>
> OK, so this is cool. I got this list from the Slashdot allowed tags
> list, which I would assume is ok.

Whoa there... NEVER assume because someone else does something that it's
"okay" or "safe".  According to your above checks, I'm allowed to do this:

<B onmouseover="window.close();">something evil</b>

Strip tags does not make a post safe at all... *safer* maybe, but no where
near safe.

Really, what's needed is another version of strip tags which allows you to
specify allowed attributes per tag:

strip_tags_attr($string, '<B> <P class id style> <A href title> <BR>')

But even that wouldn't prevent people from sneaking javascript (OR OTHER
CLIENT SIDE SCRIPTING) into the href attribute.

But, I haven't got enough brains to actually write the extension for PHP, so
hopefully someone else will pick it up eventually.

In the meantime, the only solution I can think of is to not allow
<b>tags</b>... perhaps allow some other form of [i]tag[/i] tag system which
doesn't allow any attributes.   Then you can simply strip all tags, and then
go onto replacing [b] with <b>, etc etc.  It's a lot of work, and you will
run into even more work when you choose to allow [a href=""] or other
attributes, but it IS safer.

Or, perhaps it's "cheaper" for you to do some preliminary stripping of tags
as per your code above, and then have a moderator physically check over the
code for hidden "evil".

Justin French
Web Developent & 
Graphic Design

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to