Jump to content

Search the Community

Showing results for tags 'strip_tags()'.

  • Search By Tags

    Type tags separated by commas.

  • Search By Author

Content Type


Forums

  • Welcome to PHP Freaks
    • Announcements
    • Introductions
  • PHP Coding
    • PHP Coding Help
    • Regex Help
    • Third Party Scripts
    • FAQ/Code Snippet Repository
  • SQL / Database
    • MySQL Help
    • PostgreSQL
    • Microsoft SQL - MSSQL
    • Other RDBMS and SQL dialects
  • Client Side
    • HTML Help
    • CSS Help
    • Javascript Help
    • Other
  • Applications and Frameworks
    • Applications
    • Frameworks
    • Other Libraries
  • Web Server Administration
    • PHP Installation and Configuration
    • Linux
    • Apache HTTP Server
    • Microsoft IIS
    • Other Web Server Software
  • Other
    • Application Design
    • Other Programming Languages
    • Editor Help (PhpStorm, VS Code, etc)
    • Website Critique
    • Beta Test Your Stuff!
  • Freelance, Contracts, Employment, etc.
    • Services Offered
    • Job Offerings
  • General Discussion
    • PHPFreaks.com Website Feedback
    • Miscellaneous

Find results in...

Find results that contain...


Date Created

  • Start

    End

Last Updated

  • Start

    End

Filter by number of...

Joined

  • Start

    End

Group

AIM

MSN

Website URL

ICQ

Yahoo

Jabber

Skype

Location

Interests

Age

Donation Link

Found 1 result

  1. terungwa
    While using the PHP strip_tags() function,I used the optional second parameter to specify tags which should not be stripped. However with these allowable_tags, I realised strip-tags is not safe. for example with a string such as this ($str= "<p onmouseover=\"evilscript url\"> Hi, this is an interesting link. </p>") I was able to load a page containing a script injected into it, that script was able to rip off my session cookie ID!!!. To further strengthen data sanitization using the strip_tags() function, I have come up with this function below which does the following: allows the use of the following html tags: <h1><h2><h3><h4><h5><h6><a><br><table><ul><ol><li><p><img> remove classes, ids from html tags remove font-style, font-size, color,font-family,line-height from style tags in the text; remove javascript attributes within a tag remove empty style tags function CleanUp($InputString) { $RemoveAttrib = "'\\s(class|id|javascript:|onclick|ondblclick|onmousedown|onmouseup|onmouseover|onmousemove|onmouseout|onkeypress|onkeydown|onkeyup)=\"(.*?)\"'i"; //remove classes, ids and disallow these attributes/prefix within a tag; $InputString = strip_tags($InputString, '<h1><h2><h3><h4><h5><h6><a><br><table><ul><ol><li><p><img>'); $InputString = preg_replace($RemoveAttrib, '', $InputString); $RemoveAttrib = "/(font\-size|color|font\-family|line\-height):\\s". "(\\d+(\\x2E\\d+\\w+|\\W)|\\w+)(;|)(\\s|)/i"; //remove font-style, font-size, color,font-family,line-height from style tags in the text; //$InputString = stripslashes($tagSource); $InputString = preg_replace($RemoveAttrib, '', $InputString); $InputString = str_replace(" style=\"\"", '', $InputString); //remove empty style tags, after the preg_replace above (style=""); return $InputString; } This worked well for single line text, but if I had hard returns in the text the function could not find the other tags to remove, and therefore failed. See below. <p id= "mike" style="line-height: 150%; class="lead">The function did not strip off the paragragh ID attribute.</p> Or <p id ="mike" style="line-height: 150%; class="lead">The function did not strip off the paragragh ID attribute.</p> I tried marching New lines as shown below but it did not work: $RemoveAttrib = "'\\s(class|id|javascript:|onclick|ondblclick|onmousedown|onmouseup|onmouseover|onmousemove|onmouseout|onkeypress|onkeydown|onkeyup)(\r\n)*?=\"(\r\n)*?(.*?)\"'i"; I need help to fix this. Thanks.
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.