Will this clean a string of PHP tags?

[discomatt]

I'm building a template class, and I want to have the option of sanitizing PHP tags out of strings that will get plugged into a given template ( the template will get eval'ed at some point )

 

Here's my class method

 

public function sanitize ( $string ) {
$search = array(
	'/<\?/',
	'/<script language=[\'"]?+php[\'"]?+[^>]*+>/i',
	'/<%/'
);
$replace = array(
	'<?',
	'<script language="php">',
	'<%'
);
return preg_replace( $search, $replace, $string );
}

 

If anyone can see any way a crafty user might be able to inject some PHP tags in there let me know.

 

The template will be eval'ed using the following code

 

eval( '?>' . $buffer );

[lemmin]

'language' doesn't always have to be the first property in the script tag. Someone could even make up a property like:

<script name="name" language="php">

[discomatt]

Yes, but PHP won't parse code tagged like that... at least, not with my tests. If I'm wrong please correct me.

 

But you did help me notice one thing I'm missing... PHP will parse if there are several spaces after script

 

Sooo my regex has changed to

 

'/<script[ ]++language=[\'"]?+php[\'"]?+[^>]*+>/i'

 

Thank you for the indirect help

[rarebit]

I use bbcode. First use htmlentities, then regex the bb into html... This way you only let through exactly what you want, everything else is sanitised...

[discomatt]

This is a template system... I will want full HTML in most cases, and in some cases, PHP code parsing. Hence the eval call.

 

This is simply a paranoid check to make sure a malicious user hasn't managed to inject bad code into template files.