Jump to content

Disable Javascript in an HTML text-box.


GB_001

Recommended Posts

Just filter out the keywords, ie: "javascript:" "<script", AND replace the "<" ">" tags with their special equivs < >.  Afaik you should be safe if you replace their <, > tags with the </> and display it.

 

The best bet is to use the BBC method.  Change all < and > tags to something, ie: [ and ].  Then do a replace for ALLOWED html, like the example below.  Or just use </>

 

<?php
$_POST['text'] = "<b>Hi</b><script type='text/javascrip'>alert('haxor')</script>";

  $_POST['text'] = str_replace(">","]",str_replace("<","[",$_POST['text']));
  $_POST['text'] = str_replace("[b]","<b>",$_POST['text']);
  $_POST['text'] = str_replace("[/b]","</b>",$_POST['text']);

echo $_POST['text'];
?>

// Outputs Hi[script type=text/javascrip]alert('haxor')[/script]

 

You also need to accomodate the inline javascript stuff.  <a href="javascript:alert()">Link</a>, just a heads up.

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.