user HTML validation

ucbones

Hi,

I'm writing some simple forums, and I'm just trying to anticipate as many eventualities as possible.

I'm allowing HTML, as it makes the site easier to use, though I'm filtering almost all tags, and I've filtered most dangerous attributes that I can think of (see http://www.phpbuilder.com/board/showthread.php?s=&threadid=10267851).

I've [man]addslashes()[/man] and checked for [man]empty()[/man].

I'm wordwrapping and I'm sizing down big images (a very cunning system that exists only as a though at the moment 😃!)

What else can I do to make sure that the input isn't dangerous either for the database or mucking up my page layout?

Cheers,

ucbones

yelvington

Validate the HTML. I believe html tidy is being integrated into upcoming releases of PHP. Until then, install a tidy binary on your server, run the input through tidy to fix common user idiocy, and post the result.

Tidy is available from tidy.sourceforge.net.

I wrote the following awhile back to brute-force user input through tidy. Since tidy makes the input into a complete HTML document, and I only want the snippet, I pluck it out of the tidyized data using a regular expression.



function validate($input)
        {
        $input = stripslashes($input);
        $input = ereg_replace("\r\n\r\n", "\n<p>", $input);
        $input = str_replace('\n','<p>',$input);
        $input = "<p>$input";
        $input = strip_tags($input,'<blockquote><a><b><i><img><br><u><p><em>');

    $temp = tempnam('/tmp','foo');
    $tf = fopen($temp, 'w');
    fwrite($tf, $input);
    fclose($tf);
    $input = `/usr/local/bin/tidy -indent  $temp`;
    ereg('(<body>)(.*)(<\/body>)', $input, $matches);
    $input = $matches[2];
    unlink($temp);
    return addslashes($input);
    }