Field validation - allow <IMG>?

ssanders82

Hey I'm trying to write a classified ads site where the user has a large "description" field (like eBay). I want to allow them to have tables and tags like <b>, but to strip away all potentially harmful tags like <form>, <script>. I read something on the Manual that there was a bug in some browsers that allowed people to say <IMG SRC="javascript:..."> and possibly do some harm. He advised not to let people use <IMG>. My question is: I really would like them to be able to link images; does anyone know how I could safeguard against this bug? How do the "big" sites do it and remain safe? I'm trying to learn regular expressions, but they are very confusing. any opinions would be appreciated, thanks.

br__ken

your best bet would be to write a regx to validate all the tags.. its not that hard once you get the hang of them (and these would only have to be fairly simple..

$rep=array("/\\<script (.*?)\\>/i" => "&lt;script $1&gt;",
				"/\\<\\/script\>/i" => "&lt;/script&gt;");

$text="<script language=javascript>function x </script>";
$retVal=preg_replace(array_keys($rep),array_values($rep),$text);
echo $retVal;

that would neutralize all (script) tags, if you need some help just PM me::

anothe thing you can do is strip all the html tags first, and have them use a BBCode type format to put in tables/etc/etc