filter out all html

jasondavis

Hi I have a script I didn't code but the people who did used javascript to filter out html. Below is the script they used, is there something similar that would do the same thing in PHP also this data is being inserted into mysql

	<SCRIPT LANGUAGE="JavaScript">

<!-- Begin
var mikExp = /[$\\@\\\#%\^\&'"\*\(\)\[\]\+\_\{\}\`\~\=\|]/;
/*function dodacheck(val) {
var strPass = val.value;
var strLength = strPass.length;
var lchar = val.value.charAt((strLength) - 1);
if(lchar.search(mikExp) != -1) {
var tst = val.value.substring(0, (strLength) - 1);
val.value = tst;
   }
}*/
function doanothercheck() {


if(document.frm1.subject.value.search(mikExp) != -1)
	{
	alert("Sorry, but the html characters are not allow in Subject");
	document.frm1.subject.select();
	document.frm1.subject.focus();
	return false;
	}
	return true;
}
//  End -->

</script>

Weedpacket

Er, how is "HTML" defined? As far as I can make out, this sentence is HTML because it contains quotes and apostrophes (not to mention a pair of parentheses).

Whatever the definition is, the equivalent to Javascript regular expressions is [man]preg_match[/man]; if you're wanting to strip out HTML tags, then the function is [man]strip_tags[/man], and if you're wanting to make text safe for MySQL input it's either [man]mysql_real_escape_string[/man] or use the [man]PDO[/man] interface for MySQL and have the drivers do all the necessary prophylactic stuff for you.

jasondavis

I guess if any of these characters are found in the text input box var mikExp = /[$\@\#%^\&'"*()[]+_{}`\~\=|]/; it will return error, which works fine until someone disables javascript then they can post anything they want

jasondavis

Here is the function I have come up with so far, is there a better way of doing it for a really high traffic site?

<?php
function FilterHTML ($text) {
	$matches = array();
	preg_match_all("'<stript[/!]*?[^<>]*?</script>'si",$text,$matches);
	for ($x=0;$x<count($matches);$x++) {
		$string = $matches[$x];
		$changed = str_replace($string,"",$text);
	}

$matches = array();
preg_match_all("'<style[/!]*?[^<>]*?</style>'si",$text,$matches);
for ($x=0;$x<count($matches);$x++) {
	$string = $matches[$x];
	$changed = str_replace($string,"",$text);
}

$matches = array();
preg_match_all("'<[/!]*?[^<>]*?>'si",$text,$matches);
for ($x=0;$x<count($matches);$x++) {
	$string = $matches[$x];
	$changed = str_replace($string,"",$text);
}

for ($x=100;$x>0;$x--) {
	$white = '';
	for ($y=1;$y<$x;$y++) {
		$white .= ' ';
	}
	$changed = str_replace($white,' ',$changed);
}

for ($x=1;$x<3;$x++) {
	$changed = str_replace("nnnn","n",$changed);
	$changed = str_replace("nnn","n",$changed);
	$changed = str_replace("nn","n",$changed);
}

return $changed;
}



//Filter input variable before saving into MySQL DB
$textinput = '<a href="http://sdfsdf.com">dfdfg</a> <span>sdfsdf';

echo FIlterHTML($textinput);
?>

MarkR

You may want to consider using the PHP built-in function strip_tags, which does pretty much the same thing.

If you don't want to strip ALL html, but only the dangerous stuff, that is a lot more difficult, because there are more ways of doing things than you think.

The built-in strip_tags only removes unwanted ELEMENTS, not attributes. Attributes are just as bad, because they can be used to execute script etc. So strip_tags is only really useful to remove ALL tags.

It's not sufficient to remove script elements and attributes whose names start with "on".

One way I've done it in the past is to parse the HTML fragment into a DOM, remove anything not on a whitelist, then rebuild it into a valid HTML fragment. This also has the advantage that it beats exploits which use badly-formed HTML.

Whitelisting tags/attributes (rather than blacklisting) is a really good idea, because there are heaps of custom ones which some browsers support, which let people do BAD THINGS.

In general this is very difficult.

Mark