The Html &lt;tag&gt; security

The Html <tag> security

Anon

Hi all,

I am doing a project which can allow people to input HTML <tag> in the text box. But It is not secure because sometimes people can input <script> to do some bad things.

I know I can use htmlspecialchars() to sanitize the input data but then people can't input any HTML <tag>!

Are there any other solutons that either can allow people to input <tag> except bad tags, e.g. <script>, or don't cause any security problems.

Cheers

Anon

http://www.php.net/strip-tags

khaine

You could target the problem tags directly with a string replace.

$string='<SCRIPT language="javascript">':

$newstr=eregi_replace("<SCRIPT", "", $string);

anyone entering a script tag will have the open and close tags removed. It will just leave a bit of a mess in its wake. But no security risk.

Mark.

Anon

Can anyone tell me how to do it in a real life?

e.g.
<form method='post' action=<? echo "post.php";?>
<input type ='text' name='visitor'>
<input type ='submit' value='whatever'>
</form>

How should I add
$string='<SCRIPT language="javascript">':

$newstr=eregi_replace("<SCRIPT", "", $string);

Cheers

Anon

If you had a form that looked something like

Enter your text here<BR>

</FORM>

When the submit button is hit the program to deal with it could look something like.

<?php

$clnstr=eregi_replace("<SCRIPT", "", $textin);

etc etc

After the replace has been performed you are free to do what ever you want with the string without the script tag. If someone typed "<SCRIPT>naff up the program</SCRIPT>"
the replace would change the string to ">naff up the program</SCRIPT>" which would have no effect in a html environment.

Mark.

Anon

Thanks, Mark.

Are there any other solutions?

By the way, do you know any other dangerous tags like <script>?

Cheers
Angela