Re: [PHP] Good HTML parser needed

Date: Thu, 15 May 2008 07:58:58 -0400
From: "Eric Butera" <eric.butera@xxxxxxxxx>
Subject: Re: [PHP] Good HTML parser needed

On Wed, May 14, 2008 at 10:56 PM, Yi Wang <wangyi6854@xxxxxxxxx> wrote:
> Can anyone provide some code that can't be stripped by strip_tags?
>
>
> On 5/15/08, Eric Butera <eric.butera@xxxxxxxxx> wrote:
>> On Wed, May 14, 2008 at 11:38 AM, Robert Cummings <robert@xxxxxxxxxxxxx> wrote:
>>  >
>>  >
>>  >  On Wed, 2008-05-14 at 11:18 -0400, Eric Butera wrote:
>>  >  > On Tue, May 13, 2008 at 4:07 AM, James Dempster <letssurf@xxxxxxxxx> wrote:
>>  >  > > http://htmlpurifier.org/
>>  >  > >
>>  >  > >  --
>>  >  > >  /James
>>  >  > >
>>  >  >
>>  >  > This is the only real solution.
>>  >
>>  >  That depends... if I'm the webmaster and I want to input arbitrary HTML,
>>  >  then htmlpurifier is unnecessary.
>>  >
>>  >
>>  >
>>  >  Cheers,
>>  >  Rob.
>>  >  --
>>  >  http://www.interjinn.com
>>  >  Application and Templating Framework for PHP
>>  >
>>  >
>>
>>
>> OP said "users."  Strip tags doesn't bother with tag attributes so
>>  that is a security hole.  Any regex type solution will encounter the
>>  same set of issues.
>>
>>  Htmlpurifier actually strips down and re-builds your html from the
>>  ground against a nice whitelist filtering system that you can
>>  customize to your needs.  No nasty tags/attributes will get through
>>  unless you want them to.
>>
>>
>>  --
>>  PHP General Mailing List (http://www.php.net/)
>>  To unsubscribe, visit: http://www.php.net/unsub.php
>>
>>
>
>
> --
> Regards,
> Wang Yi
>

I meant if you used the allow tags parameter.  If you allow say the
<b> tag, then you could say <b key="value"> and it would pass right
through.

<?php

$str = "<b>hi</b><b onMouseOver='alert(/xss/);'>xss</b>";

echo "raw:\n";
var_dump($str);

echo "strip tags:\n";
var_dump(strip_tags($str));

echo "allow b:\n";
var_dump(strip_tags($str, '<b>'));
?>

raw:
string '<b>hi</b><b onMouseOver='alert(/xss/);'>xss</b>' (length=47)
strip tags:
string 'hixss' (length=5)
allow b:
string '<b>hi</b><b onMouseOver='alert(/xss/);'>xss</b>' (length=47)

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

References:
- [PHP] Good HTML parser needed
  - From: Shelley
- Re: [PHP] Good HTML parser needed
  - From: James Dempster
- Re: [PHP] Good HTML parser needed
  - From: Eric Butera
- Re: [PHP] Good HTML parser needed
  - From: Robert Cummings
- Re: [PHP] Good HTML parser needed
  - From: Eric Butera
- Re: [PHP] Good HTML parser needed
  - From: Yi Wang

Prev by Date: Re: [PHP] the class as a namespace
Next by Date: Re: [PHP] SCanning text of PDF documents
Previous by thread: Re: [PHP] Good HTML parser needed
Next by thread: Re: [PHP] Good HTML parser needed
Index(es):
- Date
- Thread

lists-archives.org

Re: [PHP] Good HTML parser needed