Home > Archive > PHP Language > September 2006 > Cleaning "harmful" HTML
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Cleaning "harmful" HTML
|
|
| ChillAxen 2006-09-28, 6:56 pm |
| Well, any time I try to post a topic in the "PHP group", it never shows
up, so here's a repost in this group,
Can anyone help me out with cleaning up submitted HTML documents? I
allow a user to submit what ever HTML they way, but I then have to
clean out certain stuff to make sure the HTML isn't harmful to my
members. I am trying to remove any type of scripting that I can from
the submit HTML and frames.
So far I got:
# This will clean HTML up so that we can save it (removes scripting,
iframes, ect)
function Clean_HTML($str, $replace_br=TRUE) {
$str = $str.'<';
$str = preg_replace("/<[^>]*script[^>]*>/i", '', $str);
$str = preg_replace("/<[^>]*script[^>]*</i", '', $str);
$str = preg_replace("/<[^>]*iframe[^>]*>/i", '', $str);
$str = preg_replace("/<[^>]*iframe[^>]*</i", '', $str);
$str = preg_replace("/<[^>]*iframe[^>]*</i", '', $str);
$str = preg_replace("/(<[^>]*) on[a-zA-Z]*[^=]*(=[^>]*> )/i", "$1
noscripts$2", $str);
if ($replace_br==TRUE) { $str = str_replace("\r\n", "<br>", $str);
};
$str = substr($str,0,-1);
return $str;
}
It works good for what I coded in but I also know that the CSS tag
"@import" and "moz-binding: " can be used to include harmful scripting.
I am also sure there has to be alto of other ways to include harmful
scripting too.
If you have a function to clean the HTML already, I would truly
appreciate it. If you also know of more ways people can include
harmful HTML, please let me know.
Thanks for anything in advance,
Anthony F Greco.
| |
| Colin McKinnon 2006-09-28, 6:56 pm |
| ChillAxen wrote:
>
> Can anyone help me out with cleaning up submitted HTML documents? I
> allow a user to submit what ever HTML they way, but I then have to
> clean out certain stuff to make sure the HTML isn't harmful to my
> members. I am trying to remove any type of scripting that I can from
> the submit HTML and frames.
>
strip_tags() ?
(http://uk2.php.net/strip_tags)
C.
| |
| Schluppy 2006-09-28, 9:56 pm |
| On Thu, 28 Sep 2006 12:54:41 -0700, ChillAxen wrote:
> Well, any time I try to post a topic in the "PHP group", it never shows
> up, so here's a repost in this group,
>
> Can anyone help me out with cleaning up submitted HTML documents? I
> allow a user to submit what ever HTML they way, but I then have to
> clean out certain stuff to make sure the HTML isn't harmful to my
> members. I am trying to remove any type of scripting that I can from
> the submit HTML and frames.
>
> So far I got:
>
> snip
>
> It works good for what I coded in but I also know that the CSS tag
> "@import" and "moz-binding: " can be used to include harmful scripting.
> I am also sure there has to be alto of other ways to include harmful
> scripting too.
>
> If you have a function to clean the HTML already, I would truly
> appreciate it. If you also know of more ways people can include
> harmful HTML, please let me know.
>
> Thanks for anything in advance,
>
> Anthony F Greco.
I'd recommend not re-inventing the wheel. There are probably dozens of
functions and classes available to do such things.
Here's one I'm fond of:
http://cyberai.com/inputfilter/
--
Schluppy
| |
| ChillAxen 2006-09-29, 6:57 pm |
| Thank you =]. What I wanted was an already coded class, just couldnt
find one =]. Thank you so much.
Schluppy wrote:
> On Thu, 28 Sep 2006 12:54:41 -0700, ChillAxen wrote:
>
>
> I'd recommend not re-inventing the wheel. There are probably dozens of
> functions and classes available to do such things.
>
> Here's one I'm fond of:
> http://cyberai.com/inputfilter/
>
> --
> Schluppy
|
|
|
|
|