RE: Re[2]: [PHP] Re: strip_tags bug ?
I don't see why people use strip_tags at all. I would hate posting to a forum that will strip tags, esp. if I want to show an example of something. Just use htmlentities() and the data will be shown exactly as the user typed it, but none of the HTML or code within it will be evaluated. So if the type script, then instead of removing it, you just show it, but with the and replaces with HTML entities. ---John Holmes... -Original Message- From: Stuart Dallas [mailto:[EMAIL PROTECTED]] Sent: Friday, June 07, 2002 5:31 PM To: Philip Hallstrom Cc: Mikhail Avrekh; [EMAIL PROTECTED] Subject: Re[2]: [PHP] Re: strip_tags bug ? On Friday, June 7, 2002 at 10:23:08 PM, you wrote: Hmm... you could always do something like: $t = ereg_replace( , lt; , $t); $t = ereg_replace( , gt; , $t); $nt = strip_tags($t); $nt = ereg_replace( lt; , , $nt); $nt = ereg_replace( gt; , , $nt); maybe? That depends on what you're attempting to do. It would leave the following SCRIPT section intact... SCRIPT language=javascript // do something nasty here /SCRIPT I don't know what others use strip_tags for, but I've only ever used it to remove script/html tags from forum posts. Using your code would create a massive security hole. -- Stuart -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: Re[2]: [PHP] Re: strip_tags bug ?
Actually, we allow our users to use HTML tags -- a pretty large set of tags is allowed in the second argument to strip_tags(). We just want to strip out javascript and other stuff which has been known to cause problems. This is why I was wondering if anyone has a good regexp which can allow one to provide a set of allowed tags, instead of stripping any and all HTML and other tags. M. On Fri, 7 Jun 2002, John Holmes wrote: I don't see why people use strip_tags at all. I would hate posting to a forum that will strip tags, esp. if I want to show an example of something. Just use htmlentities() and the data will be shown exactly as the user typed it, but none of the HTML or code within it will be evaluated. So if the type script, then instead of removing it, you just show it, but with the and replaces with HTML entities. ---John Holmes... -Original Message- From: Stuart Dallas [mailto:[EMAIL PROTECTED]] Sent: Friday, June 07, 2002 5:31 PM To: Philip Hallstrom Cc: Mikhail Avrekh; [EMAIL PROTECTED] Subject: Re[2]: [PHP] Re: strip_tags bug ? On Friday, June 7, 2002 at 10:23:08 PM, you wrote: Hmm... you could always do something like: $t = ereg_replace( , lt; , $t); $t = ereg_replace( , gt; , $t); $nt = strip_tags($t); $nt = ereg_replace( lt; , , $nt); $nt = ereg_replace( gt; , , $nt); maybe? That depends on what you're attempting to do. It would leave the following SCRIPT section intact... SCRIPT language=javascript // do something nasty here /SCRIPT I don't know what others use strip_tags for, but I've only ever used it to remove script/html tags from forum posts. Using your code would create a massive security hole. -- Stuart -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: Re[2]: [PHP] Re: strip_tags bug ?
How about if you use htmlentities() and then preg specified tags back into place? That way, the onus for not looking silly falls upon those who use unapproved tags. This would seem like the more conservative approach - and as a security-obsessed paranoid fool, I like conservative approaches. miguel On Fri, 7 Jun 2002, Mikhail Avrekh wrote: Actually, we allow our users to use HTML tags -- a pretty large set of tags is allowed in the second argument to strip_tags(). We just want to strip out javascript and other stuff which has been known to cause problems. This is why I was wondering if anyone has a good regexp which can allow one to provide a set of allowed tags, instead of stripping any and all HTML and other tags. M. On Fri, 7 Jun 2002, John Holmes wrote: I don't see why people use strip_tags at all. I would hate posting to a forum that will strip tags, esp. if I want to show an example of something. Just use htmlentities() and the data will be shown exactly as the user typed it, but none of the HTML or code within it will be evaluated. So if the type script, then instead of removing it, you just show it, but with the and replaces with HTML entities. ---John Holmes... -Original Message- From: Stuart Dallas [mailto:[EMAIL PROTECTED]] Sent: Friday, June 07, 2002 5:31 PM To: Philip Hallstrom Cc: Mikhail Avrekh; [EMAIL PROTECTED] Subject: Re[2]: [PHP] Re: strip_tags bug ? On Friday, June 7, 2002 at 10:23:08 PM, you wrote: Hmm... you could always do something like: $t = ereg_replace( , lt; , $t); $t = ereg_replace( , gt; , $t); $nt = strip_tags($t); $nt = ereg_replace( lt; , , $nt); $nt = ereg_replace( gt; , , $nt); maybe? That depends on what you're attempting to do. It would leave the following SCRIPT section intact... SCRIPT language=javascript // do something nasty here /SCRIPT I don't know what others use strip_tags for, but I've only ever used it to remove script/html tags from forum posts. Using your code would create a massive security hole. -- Stuart -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
