3raser Posted June 5, 2012 Share Posted June 5, 2012 I was reading the documentary for strip_tags() and it mentioned nothing about removing JavaScript tags (which I'm assuming is HTML since it's in the form of it - e.g: <script></script>). I just want to be assured that it does protect against XSS. Do you have any better recommendations? Thanks. Quote Link to comment https://forums.phpfreaks.com/topic/263734-does-strip_tags-protect-against-xss/ Share on other sites More sharing options...
Psycho Posted June 5, 2012 Share Posted June 5, 2012 Did you try it? Here's a simple test. $input = "This is input with <script type=\"javascript\"> alert('JavaScript'); </script> code."; echo strip_tags($input); And, a simple Google search for "PHP prevent XSS attacks" yielded plenty of good resources. Quote Link to comment https://forums.phpfreaks.com/topic/263734-does-strip_tags-protect-against-xss/#findComment-1351514 Share on other sites More sharing options...
requinix Posted June 5, 2012 Share Posted June 5, 2012 It should prevent many forms, but there are some it won't. It depends where you output the strings. Pretty much all you need is htmlentities() or htmlspecialchars(). Quote Link to comment https://forums.phpfreaks.com/topic/263734-does-strip_tags-protect-against-xss/#findComment-1351518 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.