Hiya, well, you could replace all script tags with this regex:
$string = preg_replace("/<\/?SCRIPT.*?>/is", "", $string); But, if you're converting all < and > to their html equivelants (which you should be) using something like htmlspecialchars or your own regex, you shouldn't even need to do that. You might also want to think about strip_tags(), though again, I prefer just to convert the characters and not worry about it. as for your links, I'd rethink the user input and use something like [a=www.microsoft.com]Click[/a] ;> // quick and dirty regex $string = preg_replace("/\[a=(.+?)\](.*?)\[\/a\]/is", "<a href=\"\\1\" target=\"_blank\">\\2</a>", $string); James "Trongduc" <[EMAIL PROTECTED]> wrote in message 001101c17341$b6de6060$1d0b10ac@d">news:001101c17341$b6de6060$1d0b10ac@d... > hi, > can anyone help me this ? > > 1) > I made a simple forum, and it will allow the users to send their messages in > HTML format. > But I worried about the security of my website, so I removed all of the > "<SCRIPT" tags in their messages by placing "</SCRIPT" instead. > (Because the users maybe use <SCRIPT language="JavaScript">, so I cannot > replace "<SCRIPT>" exactly) > > Is it the best solution to protect my pages from malicious code ? (is it > secure for my pages ?) > Are there other ways that someone can use malicious codes in their messages > without <SCRIPT> ? > > 2) > In the case I do not allow the users send messages in HTML codes, I replaced > (similar with phpBB code) : > [a]=>"<a href=" > [/a]=>">" > [//a]=>"</a>" > > example the content of message is : > [a]www.microsoft.com[/a]Click here...[//a] > ...will place a link to Microsoft.com, but the problems will happen when the > users use only [a], or [/a], not use [//a] to close the link. Can anyone > help me to fix this problem ? (is there another way to do this more simple > ?) > > thanks very much... > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]