[thelist] PHP - htmlentities
Jackson Yee
jyee at vt.edu
Thu Aug 1 18:00:01 CDT 2002
----- Original Message -----
From: "Simon Willison" <simon at incutio.com>
To: <thelist at lists.evolt.org>; <thelist at lists.evolt.org>
Sent: Thursday, August 01, 2002 10:17
Subject: Re: [thelist] PHP - htmlentities
> The only problem with this approach is that ultra-crafty users can still
> insert javascript, by using onmouseover="" and other event based attributes
> on the tags that you allow. I know IE is happy to execute event based tags
> on pretty much any element you care to mention so using strip_tags with
> exceptions can still leave you open to attack.
That's a very good point concerning event attributes and injecting JavaScript
into the string this way. I'll have to pass the string through a regular
expression replacement filter after strip_tags is called to get rid of these
$Str = preg_replace('/on.+=\".*\"\s*/i', '', $Str);
That should kill the attributes for the annoying, crafty users and still
permit the rest of the users to customize their own text with <b>, <i>, <em>,
<br />, and so forth.
All of the things that you don't notice when you surf with JavaScript
disabled...
Regards,
Jackson Yee
jyee at vt.edu
http://www.jacksonyee.com/
More information about the thelist
mailing list