filtering help needed

jasondavis

Ok Im having a bit of trouble I have this function to filter some html items I do not want users to be able to use

The problem is for example the first item "<html>" it will replace it with "bad" however if I change any of the letters to uppercase it no longer works, and ideas how to filter the below items?

Also I need a function for a different area that will filter any html

Thanks for the help anyone 🙂

function FilterHTML($val)
{
$temp=str_replace("<html>","bad",$val);
$temp=str_replace("</html>","",$temp);
$temp=str_replace("</script>","",$temp); 
$temp=str_replace("<script>","",$temp);
$temp=str_replace("<iframe>","",$temp);
$temp=str_replace("</iframe>","",$temp);
$temp=str_replace("alert","",$temp); 
$temp=str_replace("<STYLE","",$temp);
$temp=str_replace("<style","",$temp);
$temp=str_replace("xss","",$temp);
$temp=str_replace("xml","",$temp);
$temp=str_replace("DATASRC","",$temp); 
$temp=str_replace("meta","",$temp);
$temp=str_replace("ONLOAD","",$temp);
$temp=str_replace("mocha","",$temp);
$temp=str_replace("<table>","",$temp); 
$temp=str_replace("<tr>","",$temp);
$temp=str_replace("</tr>","",$temp);
$temp=str_replace("</td>","",$temp);
$temp=str_replace("<td>","",$temp); 
$temp=str_replace("<th>","",$temp);
$temp=str_replace("</th>","",$temp);
$temp=str_replace("</table>","",$temp);
$temp=str_replace("<body>","",$temp); 
$temp=str_replace("</body>","",$temp);
$temp=str_replace("</SCRIPT>","",$temp);
$temp=str_replace("<SCRIPT>","",$temp);
$temp=str_replace("<IFRAME>","",$temp);
$temp=str_replace("</IFRAME>","",$temp); 
$temp=str_replace("ALERT","",$temp);
$temp=str_replace("<STYLE","",$temp);
$temp=str_replace("<style","",$temp);
$temp=str_replace("XML","",$temp); 
$temp=str_replace("datasrc","",$temp);
$temp=str_replace("datasrc","",$temp);
$temp=str_replace("META","",$temp);
$temp=str_replace("onload","",$temp); 
$temp=str_replace("<TABLE>","",$temp);
$temp=str_replace("<TR>","",$temp);
$temp=str_replace("</TR>","",$temp);
$temp=str_replace("</TD>","",$temp); 
$temp=str_replace("<TD>","",$temp);
$temp=str_replace("<TH>","",$temp);
$temp=str_replace("</TH>","",$temp);
$temp=str_replace("</TABLE>","",$temp); 
$temp=str_replace("<BODY>","",$temp);
$temp=str_replace("</BODY>","",$temp);
$temp=str_replace("<HTML>","",$temp);
$temp=str_replace("</HTML>","",$temp); 

$temp=str_replace("<font>","bad",$temp); 


return $temp;
}

NogDog

If using PHP5, use [man]str_ireplace/man for case-insensitive replacement.

Consider using [man]strip_tags/man to delete all HTML tags.