Re: AW: [PHP] Re: Second opinion needed - javascript blocker
on 23/04/02 1:59 PM, Martin Towell ([EMAIL PROTECTED]) wrote: > would become > > =foo > ="foo" > = "foo" > ='foo' > ='foo' > > which the browser would just ignore In theory, yes. I don't think I'd trust it here -- this is potentially malicious content added by unknown people. I'd be taking the approach keep what you trust, throw out the rest, which is a more complex set of regexps though. hence should be trimmed back to this is easier on a smaller subset of HTML, rather than "all HTML". I personally would not give unknown contributors any more than you have to. Justin Creative Director http://Indent.com.au -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: AW: [PHP] Re: Second opinion needed - javascript blocker
What about: 1. getting rid of anything between "" 2. get rid of any attributes that start with " on" and end with a quotes or space Maybe I'm forgetting about some valid attributes that start with "on", you might have to cater for them Does this work? HTH Martin -Original Message- From: Leif K-Brooks [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 23, 2002 6:49 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: AW: [PHP] Re: Second opinion needed - javascript blocker Thynks, but I don't want to block html, I want to block javascript! And since onmouseover and similar events can be put in any tag, I'm trying to block them. on 4/22/02 4:44 PM, J Smith at [EMAIL PROTECTED] wrote: Then I'd suggest using the strip_tags() function and define which tags you'd like to leave untouched. J Red Wingate wrote: > He might want to use this function but doing so no links or bold underline > Tags will be destroyed as well. > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: AW: [PHP] Re: Second opinion needed - javascript blocker
Thynks, but I don't want to block html, I want to block javascript! And since onmouseover and similar events can be put in any tag, I'm trying to block them. on 4/22/02 4:44 PM, J Smith at [EMAIL PROTECTED] wrote: Then I'd suggest using the strip_tags() function and define which tags you'd like to leave untouched. J Red Wingate wrote: > He might want to use this function but doing so no links or bold underline > Tags will be destroyed as well. >
Re: AW: [PHP] Re: Second opinion needed - javascript blocker
Then I'd suggest using the strip_tags() function and define which tags you'd like to leave untouched. J Red Wingate wrote: > He might want to use this function but doing so no links or bold underline > Tags will be destroyed as well. > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
AW: [PHP] Re: Second opinion needed - javascript blocker
He might want to use this function but doing so no links or bold underline Tags will be destroyed as well. -Ursprungliche Nachricht- Von: J Smith [mailto:[EMAIL PROTECTED]] Gesendet: Montag, 22. April 2002 10:08 PM An: [EMAIL PROTECTED] Betreff: [PHP] Re: Second opinion needed - javascript blocker Try looking at htmlspecialchars() and htmlentities() instead. They'll convert things like < and > to > and < and ampersands to &. J Leif K-Brooks wrote: > I am trying to block javascript from ares of my site that users can > change. > I am going to use the following code. Can someone give me a second > opinion on whether it will work? > > function stopjavascript($text){ > //Stop people from using &whatever; tags, in case they can smuggle > javascript in with that > $text = str_replace("&","&",$text); > //Stop the onmouseover, etc. parameters > $text = eregi_replace("on","o-n",$text); > //Stop script tags, as well as links to javascript: > $text = eregi_replace("script","sc-ript",$text); > //Return the edited string > return $text; > } -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Second opinion needed - javascript blocker
Try looking at htmlspecialchars() and htmlentities() instead. They'll convert things like < and > to > and < and ampersands to &. J Leif K-Brooks wrote: > I am trying to block javascript from ares of my site that users can > change. > I am going to use the following code. Can someone give me a second > opinion on whether it will work? > > function stopjavascript($text){ > //Stop people from using &whatever; tags, in case they can smuggle > javascript in with that > $text = str_replace("&","&",$text); > //Stop the onmouseover, etc. parameters > $text = eregi_replace("on","o-n",$text); > //Stop script tags, as well as links to javascript: > $text = eregi_replace("script","sc-ript",$text); > //Return the edited string > return $text; > } -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php