Make sure to remove tags via:
$var_that_will_be_displayed = strip_tags( $var_from_user_input_via_POST_or_GET_or_COOKIE );
if you are going to display or mail it as part of a link(email or URL), you might do this instead:
$var_that_will_be_part_of_a_link = strip_tags( rawurldecode( $var_from_user_input_via_POST_or_GET_or_COOKIE ) );
See this page:
http://www.cgisecurity.com/articles/xss-faq.shtml
Yeah, use strip_tags so you can get rid of evil, malicious content such as <grin>... gasp! Just use htmlentities() like others have already suggested, so you don't change the users input. There's nothing more annoying than programs that strip out content from what users write because they think it's bad. Using allowed_tags with strip_tags() just introduces the possibility for vulnerabilities since attributes aren't checked. Javascript in a <b> tag, you say? Yep...
-- ---John Holmes...
Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/
php|architect: The Magazine for PHP Professionals – www.phparch.com
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
