jwhite68 Posted August 28, 2007 Share Posted August 28, 2007 I am trying to take external content (text description) that could either be raw text, or HTML content - and assign it to a field that will be displayed on my website. Since I want to present the data on my website, I want to strip the majaority of HTML tags, that control is font, colour, size, underlines etc. I know that PHP provides strip_tags for this purpose. The thing is, I want it to keep the carriage returns/newlines, and if possible bullet points - does anyone know how I can achieve this? Quote Link to comment https://forums.phpfreaks.com/topic/67038-strip-tags/ Share on other sites More sharing options...
trq Posted August 28, 2007 Share Posted August 28, 2007 Take a look at the second argument to strip_tags(). Quote Link to comment https://forums.phpfreaks.com/topic/67038-strip-tags/#findComment-336188 Share on other sites More sharing options...
jwhite68 Posted August 28, 2007 Author Share Posted August 28, 2007 Thanks, I see. If my HTML code is like this: <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US><FONT face="Times New Roman"><BR><FONT face="Verdana, Arial, Helvetica, sans-serif" size=3>This is my description. </FONT></FONT></SPAN></P> Will setting the <p> tag as allowable also make use of the style, where it sets the margin etc? The thing is, that I only want to allow carriage returns and newlines, and bullet points, and literally nothing else - so I am not clear if this can be achieved, without including other options that may be set in the paragraph tag, for example. Quote Link to comment https://forums.phpfreaks.com/topic/67038-strip-tags/#findComment-336191 Share on other sites More sharing options...
dbo Posted August 28, 2007 Share Posted August 28, 2007 After seeing a post yesterday about a similar topic I did quite a bit of reading up on this stuff. You should also be weary of attributes of certain tags as well. Apparently a malicious user can apply javascript to about any element. For example: <font size="3" onmouseover="alert('XSS');">Test</font>. Apparently, HTML purifier is a good way to filter this stuff, but to me it seems awfully bloated... I'm not sure what more I'm going to do in this regard yet. Here are a couple resources for you to do some more reading if you so desire: http://shiflett.org/articles/foiling-cross-site-attacks http://ha.ckers.org/xss.html http://quickwired.com/smallprojects/php_xss_filter_function.php http://blog.liip.ch/archive/2005/01/16/xss-how-we-try-to-prevent-it.html I'm not suggesting that all of these are solutions but it provides a good variety of problems/attempted solutions. It should give you some additional insight on the topic in general. Quote Link to comment https://forums.phpfreaks.com/topic/67038-strip-tags/#findComment-336193 Share on other sites More sharing options...
trq Posted August 28, 2007 Share Posted August 28, 2007 Why don't you test the function on the example string you just provided? Quote Link to comment https://forums.phpfreaks.com/topic/67038-strip-tags/#findComment-336194 Share on other sites More sharing options...
dbo Posted August 28, 2007 Share Posted August 28, 2007 It may or may not clean it, I dunno. I was just trying to make the point that it goes beyond cleaning script tags. I'm wrapped up in another project right now that I'm trying to hammer through so that I can work on some of my own stuff again... one of things which is to address this w/o a huge library such as HTML purifier. Quote Link to comment https://forums.phpfreaks.com/topic/67038-strip-tags/#findComment-336207 Share on other sites More sharing options...
dbo Posted August 28, 2007 Share Posted August 28, 2007 Score! I just turned a "Sr. Helper." Anyways... I'm thinking from an authoring standpoint of allowing script tags for people with superuser privileges such as a webmaster/admin position. Normal end users may only be able to add links to resources that exist in a "trusted" list of links and only add pictures that are stored on the local server. This would of course be in addition to cleansing the user input of as much potential XSS attempts as possible. Not sure yet though... this might be overkill for some things. Like I said I'll focus on it more when I get my current project for work done. Quote Link to comment https://forums.phpfreaks.com/topic/67038-strip-tags/#findComment-336215 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.