Cleaning "harmful" HTML

Well, any time I try to post a topic in the "PHP group", it never shows
up, so here's a repost in this group,

Can anyone help me out with cleaning up submitted HTML documents?  I
allow a user to submit what ever HTML they way, but I then have to
clean out certain stuff to make sure the HTML isn't harmful to my
members.  I am trying to remove any type of scripting that I can from
the submit HTML and frames.

So far I got:

# This will clean HTML up so that we can save it (removes scripting,
iframes, ect)
function Clean_HTML($str, $replace_br=TRUE) {

$str = $str.'<';

$str = preg_replace("/<[^>]*script[^>]*>/i", '', $str);
$str = preg_replace("/<[^>]*script[^>]*</i", '', $str);
$str = preg_replace("/<[^>]*iframe[^>]*>/i", '', $str);
$str = preg_replace("/<[^>]*iframe[^>]*</i", '', $str);
$str = preg_replace("/<[^>]*iframe[^>]*</i", '', $str);
$str = preg_replace("/(<[^>]*) on[a-zA-Z]*[^=]*(=[^>]*> )/i", "$1
noscripts$2", $str);
if ($replace_br==TRUE) { $str = str_replace("\r\n", "<br>", $str);
};
$str = substr($str,0,-1);
return $str;

}

It works good for what I coded in but I also know that the CSS tag
"@import" and "moz-binding: " can be used to include harmful scripting.
I am also sure there has to be alto of other ways to include harmful
scripting too.

If you have a function to clean the HTML already, I would truly
appreciate it.  If you also know of more ways people can include
harmful HTML, please let me know.

Thanks for anything in advance,

Anthony F Greco.

ChillAxen wrote:

>
> Can anyone help me out with cleaning up submitted HTML documents?  I
> allow a user to submit what ever HTML they way, but I then have to
> clean out certain stuff to make sure the HTML isn't harmful to my
> members.  I am trying to remove any type of scripting that I can from
> the submit HTML and frames.
>

strip_tags() ?
(http://uk2.php.net/strip_tags)

C.

On Thu, 28 Sep 2006 12:54:41 -0700, ChillAxen wrote:

> Well, any time I try to post a topic in the "PHP group", it never shows
> up, so here's a repost in this group,
>
> Can anyone help me out with cleaning up submitted HTML documents?  I
> allow a user to submit what ever HTML they way, but I then have to
> clean out certain stuff to make sure the HTML isn't harmful to my
> members.  I am trying to remove any type of scripting that I can from
> the submit HTML and frames.
>
> So far I got:
>
> snip
>
> It works good for what I coded in but I also know that the CSS tag
> "@import" and "moz-binding: " can be used to include harmful scripting.
>  I am also sure there has to be alto of other ways to include harmful
> scripting too.
>
> If you have a function to clean the HTML already, I would truly
> appreciate it.  If you also know of more ways people can include
> harmful HTML, please let me know.
>
> Thanks for anything in advance,
>
> Anthony F Greco.

I'd recommend not re-inventing the wheel. There are probably dozens of
functions and classes available to do such things.

Here's one I'm fond of:
http://cyberai.com/inputfilter/

--
Schluppy

Thank you =].  What I wanted was an already coded class, just couldnt
find one =].  Thank you so much.

Schluppy wrote:
> On Thu, 28 Sep 2006 12:54:41 -0700, ChillAxen wrote:
> 
>
> I'd recommend not re-inventing the wheel. There are probably dozens of
> functions and classes available to do such things.
>
> Here's one I'm fond of:
> http://cyberai.com/inputfilter/
>
> --
> Schluppy