dotancohen Posted November 6, 2006 Share Posted November 6, 2006 I'm setting up a comments system on a site, with the comments stored in a mysql database. To prevent sql-injection, I run mysql_real_escape_string() on ingoing data. This should be enough to protect the database (tell me if otherwise), but I'd like to prevent people from posting Javascript and other malicious html. Basically, I'd like the comments to be bbcode and text only, using this bbcode parser:http://il.php.net/manual/en/fu....php#69398How can I strip the remaining html, javascript, and whatnot from the posts? If somebody has already invented this wheel, then I'd rather not risk a security breach by trying to reinvent it myself.Thanks in advance.Dotan Cohenhttp://lyricslist.com Link to comment https://forums.phpfreaks.com/topic/26387-preventing-malicious-html-in-comments/ Share on other sites More sharing options...
sinisake Posted November 6, 2006 Share Posted November 6, 2006 http://www.php.net/manual/en/function.strip-tags.php Link to comment https://forums.phpfreaks.com/topic/26387-preventing-malicious-html-in-comments/#findComment-120667 Share on other sites More sharing options...
dotancohen Posted November 6, 2006 Author Share Posted November 6, 2006 Thanks. I did see that, but it specifically says that it is easily circumvented with javascript on the tags I leave (and convert to bbcode).Maybe I need a way of removing all tag attributes before I run it through this. Link to comment https://forums.phpfreaks.com/topic/26387-preventing-malicious-html-in-comments/#findComment-120674 Share on other sites More sharing options...
ralph4100 Posted November 7, 2006 Share Posted November 7, 2006 htmlentities is SUPPOSED to do what u want but I am having problems with it see my topic hahaha Link to comment https://forums.phpfreaks.com/topic/26387-preventing-malicious-html-in-comments/#findComment-120794 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.