Re: [PHP] Close all open tags in HTML text
On 09-Dec-2004 Marek Kilimajer wrote: > > not really, but it removes and so javascript is > not > interpreted. $txt = preg_replace('|]*?>.*?|si', '', $txt); Regards, -- Don Read [EMAIL PROTECTED] -- It's always darkest before the dawn. So if you are going to steal the neighbor's newspaper, that's the time to do it. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Close all open tags in HTML text
Matt Palermo wrote: > I realize that I can use the strip_tags function to remove HTML. But I > don't want to remove HTML tags. I just want to make sure all open HTML > tags > are closed. For example if they user submits HTML with a tag and > never closes it, then the rest of the page will look screwed up. I still > want to allow them to use HTML, but I want to close tags that were left > open > by them. This way it allows them to use HTML and it won't screw up the > rest > of the page. Hopefully these are trusted users, authenticated to alter any and all content on the web-site. Otherwise, you might as well post your 'root' password on your home page... Perhaps I'm just telling you something you already know -- better that than you going forward with this and *not* realizing just how insecure it is. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Close all open tags in HTML text
Matt Palermo wrote: I realize that I can use the strip_tags function to remove HTML. But I don't want to remove HTML tags. I just want to make sure all open HTML tags are closed. For example if they user submits HTML with a tag and never closes it, then the rest of the page will look screwed up. I still want to allow them to use HTML, but I want to close tags that were left open by them. This way it allows them to use HTML and it won't screw up the rest of the page. Thanks, Matt "Richard Lynch" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] Matt Palermo wrote: I would like to leave any HTML in there, Do you *TRUST* the people typing the HTML to not attack your server, or others, with cross-site scripting attacks? If not, go re-read the manual about strip_tags, and pay particular attention to the second, optional, argument. but just make sure that ending tags exist, so it doesn't screw up the rest of the page. Strip tags would just wipe out the HTML rather than allowing it and ending it safely. Strip tags will allow you to wipe out *DANGEROUS* HTML which will make your web server a source of problems not only to you, but to me as well. Please use strip_tags to allow only the tags you *NEED* the users to be able to use. It will only take you seconds, and it will save you (and us) a lot of grief in the long run. -- Like Music? http://l-i-e.com/artists.htm You still need to control it. This would certainly fuck up your page: -- Daniel Schierbeck Help spread Firefox (www.getfirefox.com): http://www.spreadfirefox.com/?q=user/register&r=6584 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: Re: [PHP] Close all open tags in HTML text
On Fri, 10 Dec 2004 17:38:13 -0500, John Holmes <[EMAIL PROTECTED]> wrote: > strip_tags() is a rather worthless function, if you ask me. strip_tags() is pretty handy when scraping another site. Like the other day I was asked to grab some links off a site where there was no RSS feed available.. I easily left the anchor tags in but removed everything else. -- Greg Donald Zend Certified Engineer http://gdconsultants.com/ http://destiney.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Close all open tags in HTML text
I realize that I can use the strip_tags function to remove HTML. But I don't want to remove HTML tags. I just want to make sure all open HTML tags are closed. For example if they user submits HTML with a tag and never closes it, then the rest of the page will look screwed up. I still want to allow them to use HTML, but I want to close tags that were left open by them. This way it allows them to use HTML and it won't screw up the rest of the page. Thanks, Matt "Richard Lynch" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > Matt Palermo wrote: >> I would like to leave any HTML in there, > > Do you *TRUST* the people typing the HTML to not attack your server, or > others, with cross-site scripting attacks? > > If not, go re-read the manual about strip_tags, and pay particular > attention to the second, optional, argument. > >> but just make sure that ending >> tags exist, so it doesn't screw up the rest of the page. Strip tags >> would >> just wipe out the HTML rather than allowing it and ending it safely. > > Strip tags will allow you to wipe out *DANGEROUS* HTML which will make > your web server a source of problems not only to you, but to me as well. > > Please use strip_tags to allow only the tags you *NEED* the users to be > able to use. > > It will only take you seconds, and it will save you (and us) a lot of > grief in the long run. > > -- > Like Music? > http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: Re: [PHP] Close all open tags in HTML text
> From: "Richard Lynch" <[EMAIL PROTECTED]> > Matt Palermo wrote: > > but just make sure that ending > > tags exist, so it doesn't screw up the rest of the page. Strip tags would > > just wipe out the HTML rather than allowing it and ending it safely. > > Strip tags will allow you to wipe out *DANGEROUS* HTML which will make > your web server a source of problems not only to you, but to me as well. > > Please use strip_tags to allow only the tags you *NEED* the users to be > able to use. > > It will only take you seconds, and it will save you (and us) a lot of > grief in the long run. strip_tags() is a rather worthless function, if you ask me. It strips such evil code as or anything else surrounded by < and >. It's "allowed tags" attribute is misleading, also. You can think you're safe by allowing tags, but I can include onmouseover (or any other) events to trigger javascript and XSS attacks. You're better to roll your own solution or just run everything through htmlentities()/htmlspecialchars() and show the user exactly what they typed. I'm on a crusade against the use of strip_tags(), if you haven't figured that out yet. :) ---John Holmes... UCCASS - PHP Survey System http://www.bigredspark.com/survey.html -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Close all open tags in HTML text
Matt Palermo wrote: > I would like to leave any HTML in there, Do you *TRUST* the people typing the HTML to not attack your server, or others, with cross-site scripting attacks? If not, go re-read the manual about strip_tags, and pay particular attention to the second, optional, argument. > but just make sure that ending > tags exist, so it doesn't screw up the rest of the page. Strip tags would > just wipe out the HTML rather than allowing it and ending it safely. Strip tags will allow you to wipe out *DANGEROUS* HTML which will make your web server a source of problems not only to you, but to me as well. Please use strip_tags to allow only the tags you *NEED* the users to be able to use. It will only take you seconds, and it will save you (and us) a lot of grief in the long run. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Close all open tags in HTML text
I would like to leave any HTML in there, but just make sure that ending tags exist, so it doesn't screw up the rest of the page. Strip tags would just wipe out the HTML rather than allowing it and ending it safely. "Richard Lynch" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > Matt Palermo wrote: >> I am allowing users to imput HTML code into a textarea. After they input >> this, I wany to output their HTML to the browser. In order for the >> document >> to be safe, I need to close all open HTML tags that have been left open >> by >> the user, along with any open comments. Is there a way to take an HTML >> string and add closing tags and comments to it if needed? > > After you use http://php.net/tidy to fix the HTML, use > http://php.net/strip_tags to rip out all but the handful of tags you > really want to allow them to use, most especially any JavaScript they > might shove in to attack your (and my!) server. > > I *think* strip_tags rips out JavaScript. RTFM to be sure. > > -- > Like Music? > http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Close all open tags in HTML text
Richard Lynch wrote: Matt Palermo wrote: I am allowing users to imput HTML code into a textarea. After they input this, I wany to output their HTML to the browser. In order for the document to be safe, I need to close all open HTML tags that have been left open by the user, along with any open comments. Is there a way to take an HTML string and add closing tags and comments to it if needed? After you use http://php.net/tidy to fix the HTML, use http://php.net/strip_tags to rip out all but the handful of tags you really want to allow them to use, most especially any JavaScript they might shove in to attack your (and my!) server. I *think* strip_tags rips out JavaScript. RTFM to be sure. not really, but it removes and so javascript is not interpreted. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Close all open tags in HTML text
Matt Palermo wrote: > I am allowing users to imput HTML code into a textarea. After they input > this, I wany to output their HTML to the browser. In order for the > document > to be safe, I need to close all open HTML tags that have been left open by > the user, along with any open comments. Is there a way to take an HTML > string and add closing tags and comments to it if needed? After you use http://php.net/tidy to fix the HTML, use http://php.net/strip_tags to rip out all but the handful of tags you really want to allow them to use, most especially any JavaScript they might shove in to attack your (and my!) server. I *think* strip_tags rips out JavaScript. RTFM to be sure. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Close all open tags in HTML text
On Wed, 8 Dec 2004 22:33:19 -0500, Matt Palermo <[EMAIL PROTECTED]> wrote: > I am allowing users to imput HTML code into a textarea. After they input > this, I wany to output their HTML to the browser. In order for the document > to be safe, I need to close all open HTML tags that have been left open by > the user, along with any open comments. Is there a way to take an HTML > string and add closing tags and comments to it if needed? You might want to look at the html tidy functions for tidying and repairing html: http://www.php.net/manual/en/ref.tidy.php -robin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
答复: [PHP] Close all open tags in HTML text
May be you could use a iframe to ensure your own page much safer, despite show the users' inputs is very dangerous. -邮件原件- 发件人: Raditha Dissanayake [mailto:[EMAIL PROTECTED] 发送时间: 2004年12月9日 12:26 抄送: [EMAIL PROTECTED] 主题: Re: [PHP] Close all open tags in HTML text Matt Palermo wrote: >I am allowing users to imput HTML code into a textarea. After they input >this, I wany to output their HTML to the browser. In order for the document >to be safe, I need to close all open HTML tags that have been left open by >the user, along with any open comments. Is there a way to take an HTML >string and add closing tags and comments to it if needed? > > Certainly not impossible but by no means an easy task. You would be doing the job of an html validator and it's probably better for you to use a third party library for that than to code it yourself. >Thanks, > >Matt > > > -- Raditha Dissanayake. -- http://www.radinks.com/print/card-designer/ | Card Designer Applet http://www.radinks.com/upload/ | Drag and Drop Upload -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Close all open tags in HTML text
Matt Palermo wrote: I am allowing users to imput HTML code into a textarea. After they input this, I wany to output their HTML to the browser. In order for the document to be safe, I need to close all open HTML tags that have been left open by the user, along with any open comments. Is there a way to take an HTML string and add closing tags and comments to it if needed? Certainly not impossible but by no means an easy task. You would be doing the job of an html validator and it's probably better for you to use a third party library for that than to code it yourself. Thanks, Matt -- Raditha Dissanayake. -- http://www.radinks.com/print/card-designer/ | Card Designer Applet http://www.radinks.com/upload/ | Drag and Drop Upload -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Close all open tags in HTML text
I am allowing users to imput HTML code into a textarea. After they input this, I wany to output their HTML to the browser. In order for the document to be safe, I need to close all open HTML tags that have been left open by the user, along with any open comments. Is there a way to take an HTML string and add closing tags and comments to it if needed? Thanks, Matt -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php