strip tags

[jwhite68]

I am trying to take external content (text description) that could either be raw text, or HTML content - and assign it to a field that will be displayed on my website.

 

Since I want to present the data on my website, I want to strip the majaority of HTML tags, that control is font, colour, size, underlines etc.

 

I know that PHP provides strip_tags for this purpose.  The thing is, I want it to keep the carriage returns/newlines, and if possible bullet points - does anyone know how I can achieve this?

[trq]

Take a look at the second argument to strip_tags().

[jwhite68]

Thanks, I see.

 

If my HTML code is like this:

 

<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US><FONT face="Times New Roman"><BR><FONT face="Verdana, Arial, Helvetica, sans-serif" size=3>This is my description. </FONT></FONT></SPAN></P>

 

Will setting the <p> tag as allowable also make use of the style, where it sets the margin etc?

The thing is, that I only want to allow carriage returns and newlines, and bullet points, and literally nothing else - so I am not clear if this can be achieved, without including other options that may be set in the paragraph tag, for example.

[dbo]

After seeing a post yesterday about a similar topic I did quite a bit of reading up on this stuff. You should also be weary of attributes of certain tags as well. Apparently a malicious user can apply javascript to about any element. For example: <font size="3" onmouseover="alert('XSS');">Test</font>. Apparently, HTML purifier is a good way to filter this stuff, but to me it seems awfully bloated... I'm not sure what more I'm going to do in this regard yet. Here are a couple resources for you to do some more reading if you so desire:

 

http://shiflett.org/articles/foiling-cross-site-attacks

http://ha.ckers.org/xss.html

http://quickwired.com/smallprojects/php_xss_filter_function.php

http://blog.liip.ch/archive/2005/01/16/xss-how-we-try-to-prevent-it.html

 

I'm not suggesting that all of these are solutions but it provides a good variety of problems/attempted solutions. It should give you some additional insight on the topic in general.

[trq]

Why don't you test the function on the example string you just provided?

[dbo]

It may or may not clean it, I dunno. I was just trying to make the point that it goes beyond cleaning script tags. I'm wrapped up in another project right now that I'm trying to hammer through so that I can work on some of my own stuff again... one of things which is to address this w/o a huge library such as HTML purifier.

[dbo]

Score! I just turned a "Sr. Helper."

 

Anyways... I'm thinking from an authoring standpoint of allowing script tags for people with superuser privileges such as a webmaster/admin position. Normal end users may only be able to add links to resources that exist in a "trusted" list of links and only add pictures that are stored on the local server. This would of course be in addition to cleansing the user input of as much potential XSS attempts as possible.

 

Not sure yet though... this might be overkill for some things. Like I said I'll focus on it more when I get my current project for work done.