Re: AW: [PHP] Re: Second opinion needed - javascript blocker

2002-04-22 Thread Justin French 

on 23/04/02 1:59 PM, Martin Towell ([EMAIL PROTECTED]) wrote:


> would become
> 
> =foo
> ="foo"
> = "foo"
> ='foo'
> ='foo'
> 
> which the browser would just ignore

In theory, yes.  I don't think I'd trust it here -- this is potentially
malicious content added by unknown people.  I'd be taking the approach keep
what you trust, throw out the rest, which is a more complex set of regexps
though.

hence  should be trimmed back to  this is easier on a
smaller subset of HTML, rather than "all HTML".

I personally would not give unknown contributors any more than you have to.


Justin

Creative Director
http://Indent.com.au



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: AW: [PHP] Re: Second opinion needed - javascript blocker

2002-04-22 Thread Martin Towell 

What about:
1. getting rid of anything between ""
2. get rid of any attributes that start with " on" and end with a
quotes or space
Maybe I'm forgetting about some valid attributes that start
with "on", you might have to cater for them

Does this work?

HTH
Martin


-Original Message-
From: Leif K-Brooks [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, April 23, 2002 6:49 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: AW: [PHP] Re: Second opinion needed - javascript blocker


Thynks, but I don't want to block html, I want to block javascript!  And
since onmouseover and similar events can be put in any tag, I'm trying to
block them.
on 4/22/02 4:44 PM, J Smith at [EMAIL PROTECTED] wrote:


Then I'd suggest using the strip_tags() function and define which tags you'd
like to leave untouched.

J


Red Wingate wrote:

> He might want to use this function but doing so no links or bold underline
> Tags will be destroyed as well.
> 





-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: AW: [PHP] Re: Second opinion needed - javascript blocker

2002-04-22 Thread Leif K-Brooks 

Thynks, but I don't want to block html, I want to block javascript!  And
since onmouseover and similar events can be put in any tag, I'm trying to
block them.
on 4/22/02 4:44 PM, J Smith at [EMAIL PROTECTED] wrote:


Then I'd suggest using the strip_tags() function and define which tags you'd
like to leave untouched.

J


Red Wingate wrote:

> He might want to use this function but doing so no links or bold underline
> Tags will be destroyed as well.
>

Re: AW: [PHP] Re: Second opinion needed - javascript blocker

2002-04-22 Thread J Smith 


Then I'd suggest using the strip_tags() function and define which tags you'd 
like to leave untouched.

J


Red Wingate wrote:

> He might want to use this function but doing so no links or bold underline
> Tags will be destroyed as well.
> 


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

AW: [PHP] Re: Second opinion needed - javascript blocker

2002-04-22 Thread Red Wingate 

He might want to use this function but doing so no links or bold underline
Tags will be destroyed as well.

-Ursprungliche Nachricht-
Von: J Smith [mailto:[EMAIL PROTECTED]]
Gesendet: Montag, 22. April 2002 10:08 PM
An: [EMAIL PROTECTED]
Betreff: [PHP] Re: Second opinion needed - javascript blocker


Try looking at htmlspecialchars() and htmlentities() instead. They'll
convert things like < and > to > and < and ampersands to &.

J


Leif K-Brooks wrote:

> I am trying to block javascript from ares of my site that  users can
> change.
> I am going to use the following code.  Can someone give me a second
> opinion on whether it will work?
>
> function stopjavascript($text){
> //Stop people from using &whatever;  tags, in case they can smuggle
> javascript in with that
> $text = str_replace("&","&",$text);
> //Stop the onmouseover, etc. parameters
> $text = eregi_replace("on","o-n",$text);
> //Stop script tags, as well as links to javascript:
> $text = eregi_replace("script","sc-ript",$text);
> //Return the edited string
> return $text;
> }


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php 


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Re: Second opinion needed - javascript blocker

2002-04-22 Thread J Smith 


Try looking at htmlspecialchars() and htmlentities() instead. They'll 
convert things like < and > to > and < and ampersands to &.

J


Leif K-Brooks wrote:

> I am trying to block javascript from ares of my site that  users can
> change.
> I am going to use the following code.  Can someone give me a second
> opinion on whether it will work?
> 
> function stopjavascript($text){
> //Stop people from using &whatever;  tags, in case they can smuggle
> javascript in with that
> $text = str_replace("&","&",$text);
> //Stop the onmouseover, etc. parameters
> $text = eregi_replace("on","o-n",$text);
> //Stop script tags, as well as links to javascript:
> $text = eregi_replace("script","sc-ript",$text);
> //Return the edited string
> return $text;
> }


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php