Javascript Event Removal

[LegosJedi]

Hey, I'm working with BBCodes, and I'm trying to figure out how to remove Javascript event handlers from BBCodes who have arguments, as in the url BBCode. I know this can be done with Regular Expressions, but I can't find anything on removing the events. There's alot on just taking away the script tags, but no events.

[MadTechie]

as you can add spaces/returns to the word script and it will still run, i have tried to also block that..

 

requires testing

 

try this

<?php
$text = '
hello all
<script language="javascript">
alert("Goto www.phpfreaks.com");
</script>';

//test2
$text = '
hello all
<script language="javascript">
alert("Goto www.phpfreaks.com");
</scr
ipt>';


$$text = preg_replace('%<s\s*c\s*r\s*i\s*p\s*t\s*[^>]*>.*(?=\s</s\s*c\s*r\s*i\s*p\s*t\s*[^>]*>)\s</s\s*c\s*r\s*i\s*p\s*t\s*[^>]*>%sim', '', $text);
?>

[LegosJedi]

No, I mean the javascript events, not the script tags. I mean things like onmouseover="function()". That stuff.

[MadTechie]

Okay, heres an example

$data = preg_replace('/onmouseover="[a-z0-9()_-]*"/si', '', $data);

[LegosJedi]

Yeah, but I want to actually remove the handlers, not the code inside them.

[MadTechie]

Post an example of what you have and what you want!

[LegosJedi]

Okay, so I have a BBCode parser. Currently, if a user posts something like 'javascript:alert('hacked!')' in the url of a url BBCode, when you click on it, it will execute the javascript. I want to have a way to check to see if javascript is found in the url of the url BBCode, and then take them out. Then, you can also hack it by closing off the url tag with a quote, and adding other attributes, like javascript event handlers. I want to be able to take those out, too.