Security of HTML in PHP.

[Chevy]

I own this site, that has profiles, and as of now, I only use BBCode to let users edit their page.

 

I want to make it so they can use HTML, but how can I make it so that it bans bad things, that could put my site at risk.

 

Thanks

[nikefido]

look up the usual stuff:

 

htmlentities

nl2br

strip_tags <--- might be what you are looking for!

 

etc..

 

( www.php.net )

[Chevy]

Yea, but I want to allow like most HTML.

 

strip_tags will take it all out, except ones I pick, and I want it to take out the ones I pikc like flash things, javascript, things that users could ruin the site with xD

[Chevy]

Any ideas?

[revraz]

addslashes to store, stripslashes to retrieve

[Chevy]

No no, I am talking like, uh, okay I want to allow all HTML but javascript, flash, java, things that users could ruin the site with executable programs and XSS.

[CMC]

I think strip_tags would work the best then.

<?php
$allowableTags = "<b><i><a><u><p><marquee><ul><dl>";
strip_tags($text,$allowableTags);
?>

[phpSensei]

strip_tags doesnt take out custom tags like

[cooldude832]

really you don't want to move outside of BB tags.  The amount of hassle it is to manage all tags is a lot.

First you have to worry about every tag being closed properly so that your structure isn't altered.

Secondly you have to make sure nothing dangerous is put in

Thirdly  you want to have legal w3 compliance so you have to verify that

Stick to BBcode and add your own custom tags.

[Chevy]

Ah, that's what I was afraid of

 

I was hoping there would be an allow tags function xD

 

$text = allow_tags($varible, '<object><param><embed><script>');

 

If only haha.

[Chevy]

I'd like to make this topic live an see if anyone else as any ideas, I know it is possible.

 

I have a word filter so the javascript in banned in it, along with document, onclick, onrelease, ect.

[tinker]

strip_tags as CMC say's does what you want. But you'd be best off doing an extended BBCode parser and take out all other tags first, then convert the BBCode which you allow, should be pretty safe.

[Chevy]

still not what I am asking.

 

Okay I am sure you all know about XSS attacks.

 

If I used strip_tags, I would be making a list that is VERY long, because I only want to ban a few HTML tags, like my imaginary function.

 

  $text = allow_tags($varible, '<object><param><embed><script>');

 

it does pretty much to reverse of strip_tags.

[nikefido]

i think we all understand what you're saying - we're telling you it's impractical.

[Chevy]

if it is impractical, then why do sites like MySpace do it?

 

It is not impossible, I have seen a lot of sites do it.

[cooldude832]

if it is impractical, then why do sites like MySpace do it?

 

It is not impossible, I have seen a lot of sites do it.

 

 

because they have professional people who get paid big $$$$ to verify and write these functions.