laPistola Posted November 17, 2008 Share Posted November 17, 2008 As mysite uses the tinyMCE wysiwyg editor its pointless using htmlentries to increate security so instead im writing an array of 'bad html' for a str_replace() which will just replace with REPORT THIS PAGE, at the moment i have very little $badHTML = array("<script","</script>","<form","</form>","<?php","<?","?>"); anyone got anymore tags that should be disallowed? Thanks in advance Link to comment https://forums.phpfreaks.com/topic/132997-instead-of-htmlentries/ Share on other sites More sharing options...
gaza165 Posted November 17, 2008 Share Posted November 17, 2008 are u inserting the data from the textarea into a database and then calling it back from the database?? Link to comment https://forums.phpfreaks.com/topic/132997-instead-of-htmlentries/#findComment-691712 Share on other sites More sharing options...
laPistola Posted November 17, 2008 Author Share Posted November 17, 2008 yes, tinyMCE inserts it into a DB and its called onto a page, as tinyMCE uses HTML to do its wysiwyg there is a nice opening for attack, thats why i plan to str_replace() to replace any HTML i dont want users inputting before its inserted into the database. Ill use it for the PM system to, that dont use tinyMCE but some html java or php could could some damage if attacked. Its all in and working im just looking at added more tags to the array to close the possible attack routes. Link to comment https://forums.phpfreaks.com/topic/132997-instead-of-htmlentries/#findComment-691734 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.