on 05/01/03 4:16 AM, Anders Thoresson ([EMAIL PROTECTED]) wrote: > I've seen both guest books and user forums "hacked" by users who enter > javascript or other code, and that way redirects vistors to other sites or > do other unwelcome things. What expressions should I look for and not allow > in my forms?
Personally, I'd disallow ALL HTML tags. Why? Best two reasons I have are: - someone might open a <b> tag, and never close it, making your whole page bold, or a link, or whatever - someone could do something evil with javascript or any other onmouseover/click type event, like <b onmouseover="javascript:window.close();"> (can't remember exact syntax) Just use striptags() (or is it strip_tags()?) on the entire contents of all your form's text elements, giving you clean text. If you wanted to bring back simple formatting (say, B,I,BR), you could implement 'BBtags', basically using [ and ] instead of < and >: Hello, [b]this bit is in bold[/b][br][i]and this in italics on a new line[/i]. Then you can specifically search and replace those tags using str_replace() or eregi_replace() or preg_replace(). Personally, I believe they don't have the right to get such amazing access to your site... everyone who you don't "know" shouldn't be trusted to provide decent content, or write decent HTML. Cheers, Justin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
