LanceT Posted February 16, 2007 Share Posted February 16, 2007 What is a good and easy way to prevent Javascript from being parsed in a text field for a form? Quote Link to comment Share on other sites More sharing options...
JasonLewis Posted February 16, 2007 Share Posted February 16, 2007 you've lost me, please explain a bit clearer on what your trying to achieve. Quote Link to comment Share on other sites More sharing options...
Jessica Posted February 16, 2007 Share Posted February 16, 2007 strip_tags() or Pear's HTML_Safe Quote Link to comment Share on other sites More sharing options...
LanceT Posted February 16, 2007 Author Share Posted February 16, 2007 you've lost me, please explain a bit clearer on what your trying to achieve. I have a text field where I'm going to allow user input and send it to the database. I want to prevent XSS so If they enter javascript, it will just show the javascript in text instead of executing it. Quote Link to comment Share on other sites More sharing options...
mbtaylor Posted February 16, 2007 Share Posted February 16, 2007 As jesi said, strip_tags would work grand. If you want more control you are looking at regular expressions with preg_replace Quote Link to comment Share on other sites More sharing options...
LanceT Posted February 18, 2007 Author Share Posted February 18, 2007 I looked at strip_tags and I'm a bit confused. I want to be able to let my users use basically all HTML except for anything that is javascript. If I use strip_tags I would have to write a bunch of code in the syntax to account for all the code that I want to allow the user to have. Is there like an opposite version of strip_tags? string strip_tags ( string $str [, string $allowable_tags] ) I want code that is string strip_tags ( string $str [, string $NOTallowable_tags] ) Is there anything like this? Quote Link to comment Share on other sites More sharing options...
mbtaylor Posted February 19, 2007 Share Posted February 19, 2007 Well, for that preg_replace is your best bet: $html = preg_replace ("/<script/?>/", "", $html); That basically says, strip out anything that has a '<' and 'script' and maybe a '/' followed by a '>'. Regular expressions rule! A function to do the strip_tags: function strip_bad_tags($html) { $allowed = "<h1><h2><h3><h4><div><p><b><i><u><br><img><a><table><tr><td><th><ol><li><ul><span><strong>"; return strip_tags($html, $allowed); } Just change the allowed tags to the tags you want to allow and you should be sorted. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.