how safe is this .. easier way?

f8ball

I'm working on a cms that allows users to update their profiles. I want to set it up so they can't enter html tags. Some of the users have an html tag in their profile .. ie like their company name <b>

So what I was thinking rather than stripping the tags is to replace the first < with < wherever that info is being displayed.

Is that stupid? Is there another way I can do this so that makes more sense .. curious. Thx.

Here's what I've got:

ereg_replace("<","&lt;", $company)

klik

Cant pass the variables through the stip_tags function?

$variable = strip_tags($variable);

f8ball

I don't think that will work .. because the tag will show up. The problem I saw was the tag being used is essentially open .. so everything after the tag is affected.

I was thinking of using ereg_replace wherever the info would appear, but then I thought about it and think it needs to go where the user inputs the info .. so the db will record < instead of the < which should .. and I say should, because I'm crossing my fingers .. break the code yet still display the tag .. so it's a character instead of a tag.

Does that make sense?

rehfeld

this is why bbcode is used so commonly.

i wouldnt not try and just replace the first < w/ its html entity

thats VERY easy to get around.

stil not sure if you want users to be able to post html or not. it sounds like you dont, but you do want to let them have html in thier signatures.

if thats the case, i would implement bbcode.

if you dont want html at all, first, run strip_tags() on it, then run htmlentities() on it.

strip_tags isnt perfect, ive heard you can carefully craft strings to get through it. but htmlentities will clean up whatever is left.

f8ball

Originally posted by rehfeld
this is why bbcode is used so commonly.

i wouldnt not try and just replace the first < w/ its html entity

thats VERY easy to get around.

That's what I was thinking .. aaaaaaaaaaaaa .. bbcode won't work because I don't want HTML to show up at all. This is driving me nuts.

Say the person's company name is Minds <i> .. If I set up bbcode I'm pretty sure anything after the <i> (converted to ) would still be italicized. So .. I'm thinking I could use strip_tags AND ereg_replace that character with < and maybe that would do it.

The area I'm currently working on isn't that big of a security issue, but there will be a public area following this that could bump into the same problem.

I was hoping there'd be an easy way to do this .. I think I'll swap the character on input and strip the html tags on output just to be safe. I'll look into that other function as well. Haven't used that one yet. Thx for the advice.

laserlight

bbcode won't work because I don't want HTML to show up at all.

Then take rehfeld's 2nd suggestion - use [man]htmlentities/man, or [man]htmlspecialchars/man.