Well, the reply system on my site allows for use of html tags. This poses a security risks. And I want to disable it. But I have no clue on how to do it, other than encrypting it. But that would be rather pointless. So any suggestions?
Printable View
Well, the reply system on my site allows for use of html tags. This poses a security risks. And I want to disable it. But I have no clue on how to do it, other than encrypting it. But that would be rather pointless. So any suggestions?
$message = htmlspecialchars($message);
To costum filter out certain characters you can use:
$message = preg_replace('/<script>/', '[script]', $message); // only for <script>
$message = preg_replace(array('/</', '/>/'), '', $message); // for < and >
$message = preg_replace(array('/</', '/>/'), array('<', '>'), $message); // for both < and > with their own encoding
Ah thanks, will it be safe to just replace the <script>? Or will that still pose a security threat?
They can use <script attribute="value">, than it wont work.
But if you block "<script" it will get rid of most threats, but I cannot guarantee that it will block all threats...prolly not.
Than I'll just implant BB code.
Class that parses BBCodes for PHP
Thats a nice class :), you can make your own tags.
PS: please add this: $message = preg_replace(array('/\r\n/', '/\n/', '/\r/'), '<br>', $message); because enters do not work in your script ^^.
Creating the BB code at the moment. I'm also adding the enter thingy.
- - -
Hmm, your enter script doesn't really work, it just prints \r\n for every enter. lol.
This is how I'm using it:
PHP Code:$message = preg_replace(array('/\r\n/', '/\n/', '/\r/'), '<br>', (mysql_real_escape_string(htmlspecialchars(($_POST['message'])))));
Try this as 1st argument:
array("/\r\n/", "/\n/", "/\r/")
Doesn't work, it now just puts them as an space.
Works fine for me:
preg_replace(array("/\r\n/", "/\n/", "/\r/"), '<br>', $var);
Got it working, I put the htmlspecialchars in the display script, rather than in the input script. Thanks again Daevius. :grin:
Hmm, it seems your script and htmlspecialchars are conflicting. When I use both, it prints <br/> instead of just the enter. Any suggestions?
EDIT: Shit, sorry for double post.
Use htmlspecialchars before the preg_replace ;)
That is a lot more convenient than my yeah... lol.
Don't just block <script since there are a gazillion other tags that can be used to inject scripts like <img onerror="window('hello world!')" src="www.not.a/real.site">
Filtering all < and > chars should be enough to eliminate most noob script attempts, but there would be other ways still... of course it would help if most users' browsers weren't so forgiving of non-standards-compliant code :rolleyes:
Good luck! :smile: