easiest and best way to prevent javascript in a POST field

[LanceT]

What is a good and easy way to prevent Javascript from being parsed in a text field for a form?

[JasonLewis]

you've lost me, please explain a bit clearer on what your trying to achieve.

[Jessica]

strip_tags() or Pear's HTML_Safe

[LanceT]

you've lost me, please explain a bit clearer on what your trying to achieve.

 

I have a text field where I'm going to allow user input and send it to the database. I want to prevent XSS so If they enter javascript, it will just show the javascript in text instead of executing it.

[mbtaylor]

As jesi said, strip_tags would work grand. If you want more control you are looking at regular expressions with preg_replace

[LanceT]

I looked at strip_tags and I'm a bit confused. I want to be able to let my users use basically all HTML except for anything that is javascript. If I use strip_tags I would have to write a bunch of code in the syntax to account for all the code that I want to allow the user to have. Is there like an opposite version of strip_tags?

 

string strip_tags ( string $str [, string $allowable_tags] )

 

I want code that is

 

string strip_tags ( string $str [, string $NOTallowable_tags] )

 

Is there anything like this?

[mbtaylor]

Well, for that preg_replace is your best bet:

 

$html = preg_replace ("/<script/?>/", "", $html);

 

That basically says, strip out anything that has a '<' and 'script' and maybe a '/' followed by a '>'.

Regular expressions rule!

 

A function to do the strip_tags:

 

function strip_bad_tags($html) {
  $allowed = "<h1><h2><h3><h4><div><p><b><i><u><br><img><a><table><tr><td><th><ol><li><ul><span><strong>";
  return strip_tags($html, $allowed);
}

 

Just change the allowed tags to the tags you want to allow and you should be sorted.