RE: [PHP] Stripping specific tags

[John Holmes]

 I was wondering is there a way to strip ONLY the tags that you specify
 from
 a page, rather than having to include all the tags you do want (using
 strip_tags() )

A regular expression or str_replace() would be best for this. 

Realize this isn't a good method, though. What if you're trying to strip
images with an img tag, but a new spec comes out that allows image
tags. Now you're not protected against it. That's a simple example, but
it's a better policy to say X is good and allow it through, rather than
to say, I know Y is bad, but I'll let everything else through and assume
it's good.

---John Holmes...


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] Stripping specific tags

[John Holmes]

 That's what I thought the answer would be. I guess I will have to see
if I
 can create a function to add to the next release of PHP to do this, as
 there
 certainly seems to be quite a demand for it, according to the archives
 anyway.

I hope not. That would be a worthless function to have. Did you read my
post? The basic idea is validation is to allow what you _know_ is good,
and kill the rest. You don't kill a couple things you know are bad, then
assume the rest is good and let it in.

---John Holmes...


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Stripping specific tags

[Justin French]

on 20/09/02 1:14 PM, John Holmes ([EMAIL PROTECTED]) wrote:

 I hope not. That would be a worthless function to have. Did you read my
 post? The basic idea is validation is to allow what you _know_ is good,
 and kill the rest. You don't kill a couple things you know are bad, then
 assume the rest is good and let it in.

I'm with John on this one for sure... To pretend you know every possible
bad thing that can happen is plain stoopid.  Develop a list of things you
accept (commonly pbibr), and turf the rest.

What I WOULD like to see in a future PHP release is a strip attributes
feature.  Not sure of how to implement it, but even if you only let a few
tags through, there are still BIG problems with the tags:

B onclick=javascript: window.close() (not sure of the exact syntax) is
pretty evil.


Perhaps if strip tags could be extended so that you can list ALLOWED
attributes:

$string = striptags2('P class id styleBIBRA href target', $string)

Essentially, this would kill off any one doing an onclick/onmouseover/etc on
the allowed tags


This still leaves a few problems, the biggest of which is
href=javascript:... in a tags.

A further extension might be to list the allowed protocols of href??  There
could be an allowance for http, ftp, ext (external), rel (relative links),
javascript, and others I'm not thinking about.

striptags2('bA href[rel] target', $string)
would only allow relative links

striptags2('bA href[http|ftp|rel] target', $string)
would only allow relative, http and ftp links... NOT javascript for example



This would make striptags() a HIGHLY powerful tool for validating user input
which contains HTML.  yes, it can all be done with regexp if you've got
enough time and skills, but I don't :)


Sorry for getting off topic!!


Regards,

Justin French


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php