Block Coding Languages?

[Warptweet]

I use this (currently inneficient way) code to stop PHP and Javascript from being entered in $blog_text

 

$blog_text = str_replace("<?PHP", "PHP Permissions Denied", $blog_text);

 

For PHP, it easily works because the <?php it's absolutely vital to start php (I didn't enable the ability to start php with <?)

 

But Javascript does not REQUIRE <script language="text/javascript"> as far as some pesky visitors did, they ended up making one of their blogs with unstoppable music, popups, text alerts, it was sick.

 

Javascript MUST BURN!!!!

Is there a way in a SINGLE LINE to simply completely BLOCK javascript from being enabled on the page?

If not, what is a better method of blocking javascript?

[per1os]

There are a few ways. One way is to convert all < to < this is will disallow the scripts to be ran. Or simply convert <script to <script

 

IE:

 

if (eregi('<script', $blog_text)) {
     $blog_text = str_replace('<script', '<script', $blog_text);
}

 

That would work for not letting it run. But you can also parse it out. IE: You know js must have the </script> to work so do this.

 

<?php
$blog_text = 'This is a test <script language="text/javascript"> this is some alert(\'javascript\');</script> some after math text <script> smores?</script>  here is some more';

if (eregi('<script', $blog_text)) {
     while (eregi('<script', $blog_text)) {
         list($before, $javascript) = spliti("<script", $blog_text, 2);
         list($javascript, $after) = spliti("</script>", $javascript, 2);
         $blog_text = $before . " Javascript Denied " . $after;
     }
}

print "<pre>" . $blog_text . "</pre>";
?>

 

Should suffice either way you want.

[trq]

PHP code will not be executed when posted through a form, well, not unless you've gone and done something pretty silly with eval.

[emehrkay]

the best way to handle javascript input is to never echo out user input without cleaning it first