I have users fill out a form that gets recorded in a database. I need to be able to remove any html code from it. I have been looking at the strip_tags but am worried about some xss scripting issues. What is the best way to remove any html code from the inputed data? There should be no links or anything in this part of the data. Thanks for any advice.
I have been using this for some time now. It's easy to customize to suit your needs. <?php // $document should contain an HTML document. // This will remove HTML tags, javascript sections // and white space. It will also convert some // common HTML entities to their text equivalent. $search = array ("'<script[^>]*?>.*?</script>'si", // Strip out javascript "'<[/!]*?[^<>]*?>'si", // Strip out HTML tags "'([rn])[s]+'", // Strip out white space "'&(quot|#34);'i", // Replace HTML entities "'&(amp|#38);'i", "'&(lt|#60);'i", "'&(gt|#62);'i", "'&(nbsp|#160);'i", "'&(iexcl|#161);'i", "'&(cent|#162);'i", "'&(pound|#163);'i", "'&(copy|#169);'i", "'&#(d+);'e"); // evaluate as php $replace = array ("", "", "\1", "\"", "&", "<", ">", " ", chr(161), chr(162), chr(163), chr(169), "chr(\1)"); $text = preg_replace($search, $replace, $document); ?> PHP: Source: http://www.tipsntutorials.com/tips/PHP/41 (Sorry I don't have enough posts for live links.)
Why strip, just protect against it, run it through the html translation table array_flip();. This way you don't remove anything, you just make it safe! function to_entities ( $in ) { $temp = get_html_translation_table ( HTML_ENTITIES ); return ( strtr ( $in, $temp ) ); } function to_iso ( $in ) { $temp = array_flip ( get_html_translation_table ( HTML_ENTITIES ) ); return ( strtr ( $in, $temp ) ); } Code (markup): dm!
I've got a vulnerability with xss in the advance search php code for an oscommerce store that I need fixed. I would greatly appreciate it if someone could provide the code and tell me which php I need to insert the code. Please understand I'm a DBA and not a php coder. So I need the KISS approach.