Chevy Posted January 12, 2008 Share Posted January 12, 2008 I own this site, that has profiles, and as of now, I only use BBCode to let users edit their page. I want to make it so they can use HTML, but how can I make it so that it bans bad things, that could put my site at risk. Thanks Quote Link to comment https://forums.phpfreaks.com/topic/85684-security-of-html-in-php/ Share on other sites More sharing options...
nikefido Posted January 12, 2008 Share Posted January 12, 2008 look up the usual stuff: htmlentities nl2br strip_tags <--- might be what you are looking for! etc.. ( www.php.net ) Quote Link to comment https://forums.phpfreaks.com/topic/85684-security-of-html-in-php/#findComment-437314 Share on other sites More sharing options...
Chevy Posted January 12, 2008 Author Share Posted January 12, 2008 Yea, but I want to allow like most HTML. strip_tags will take it all out, except ones I pick, and I want it to take out the ones I pikc like flash things, javascript, things that users could ruin the site with xD Quote Link to comment https://forums.phpfreaks.com/topic/85684-security-of-html-in-php/#findComment-437316 Share on other sites More sharing options...
Chevy Posted January 12, 2008 Author Share Posted January 12, 2008 Any ideas? Quote Link to comment https://forums.phpfreaks.com/topic/85684-security-of-html-in-php/#findComment-437374 Share on other sites More sharing options...
revraz Posted January 12, 2008 Share Posted January 12, 2008 addslashes to store, stripslashes to retrieve Quote Link to comment https://forums.phpfreaks.com/topic/85684-security-of-html-in-php/#findComment-437375 Share on other sites More sharing options...
Chevy Posted January 12, 2008 Author Share Posted January 12, 2008 No no, I am talking like, uh, okay I want to allow all HTML but javascript, flash, java, things that users could ruin the site with executable programs and XSS. Quote Link to comment https://forums.phpfreaks.com/topic/85684-security-of-html-in-php/#findComment-437376 Share on other sites More sharing options...
CMC Posted January 12, 2008 Share Posted January 12, 2008 I think strip_tags would work the best then. <?php $allowableTags = "<b><i><a><u><p><marquee><ul><dl>"; strip_tags($text,$allowableTags); ?> Quote Link to comment https://forums.phpfreaks.com/topic/85684-security-of-html-in-php/#findComment-437385 Share on other sites More sharing options...
phpSensei Posted January 12, 2008 Share Posted January 12, 2008 strip_tags doesnt take out custom tags like Quote Link to comment https://forums.phpfreaks.com/topic/85684-security-of-html-in-php/#findComment-437386 Share on other sites More sharing options...
cooldude832 Posted January 12, 2008 Share Posted January 12, 2008 really you don't want to move outside of BB tags. The amount of hassle it is to manage all tags is a lot. First you have to worry about every tag being closed properly so that your structure isn't altered. Secondly you have to make sure nothing dangerous is put in Thirdly you want to have legal w3 compliance so you have to verify that Stick to BBcode and add your own custom tags. Quote Link to comment https://forums.phpfreaks.com/topic/85684-security-of-html-in-php/#findComment-437388 Share on other sites More sharing options...
Chevy Posted January 12, 2008 Author Share Posted January 12, 2008 Ah, that's what I was afraid of I was hoping there would be an allow tags function xD $text = allow_tags($varible, '<object><param><embed><script>'); If only haha. Quote Link to comment https://forums.phpfreaks.com/topic/85684-security-of-html-in-php/#findComment-437465 Share on other sites More sharing options...
Chevy Posted January 14, 2008 Author Share Posted January 14, 2008 I'd like to make this topic live an see if anyone else as any ideas, I know it is possible. I have a word filter so the javascript in banned in it, along with document, onclick, onrelease, ect. Quote Link to comment https://forums.phpfreaks.com/topic/85684-security-of-html-in-php/#findComment-439040 Share on other sites More sharing options...
tinker Posted January 14, 2008 Share Posted January 14, 2008 strip_tags as CMC say's does what you want. But you'd be best off doing an extended BBCode parser and take out all other tags first, then convert the BBCode which you allow, should be pretty safe. Quote Link to comment https://forums.phpfreaks.com/topic/85684-security-of-html-in-php/#findComment-439073 Share on other sites More sharing options...
Chevy Posted January 14, 2008 Author Share Posted January 14, 2008 still not what I am asking. Okay I am sure you all know about XSS attacks. If I used strip_tags, I would be making a list that is VERY long, because I only want to ban a few HTML tags, like my imaginary function. $text = allow_tags($varible, '<object><param><embed><script>'); it does pretty much to reverse of strip_tags. Quote Link to comment https://forums.phpfreaks.com/topic/85684-security-of-html-in-php/#findComment-439087 Share on other sites More sharing options...
nikefido Posted January 14, 2008 Share Posted January 14, 2008 i think we all understand what you're saying - we're telling you it's impractical. Quote Link to comment https://forums.phpfreaks.com/topic/85684-security-of-html-in-php/#findComment-439091 Share on other sites More sharing options...
Chevy Posted January 14, 2008 Author Share Posted January 14, 2008 if it is impractical, then why do sites like MySpace do it? It is not impossible, I have seen a lot of sites do it. Quote Link to comment https://forums.phpfreaks.com/topic/85684-security-of-html-in-php/#findComment-439093 Share on other sites More sharing options...
cooldude832 Posted January 14, 2008 Share Posted January 14, 2008 if it is impractical, then why do sites like MySpace do it? It is not impossible, I have seen a lot of sites do it. because they have professional people who get paid big $$$$ to verify and write these functions. Quote Link to comment https://forums.phpfreaks.com/topic/85684-security-of-html-in-php/#findComment-439101 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.