Topic: Crap killed stripping tags thread by accident (Page 1 of 1)

I was trying to delete a double post and ended up killing someone's thread about stripping HTML.

Can you repost?

BTW I Was mentioning the strip_tags() function in PHP when I had this brain fart.



.:[ Never resist a perfect moment ]:.

That was my thread... no problem.

Yeah, I started looking at strip_tags() but it seemed that preg_replace() was more what I'm after cause I really just want to specify what can't be used... ie. like allow <a> tags but no onmouseover.

So I've got...

function stripData($string)
{
	$string = preg_replace('@<script[^>]*?>.*?</script>@si', '(Script removed. No scripts allowed.)', $string);
	return $string;
}

...to handle removing <script>'s but I grabbed the "@<script[^>]*?>.*?</script>@si" from here and that's the part that's a bit over my head. Really it's the deliminators that confuse me... I know I can virtually set it up to remove anything but I just don't get it. I was thinking something along the lines of replacing <script with <?php and so forth to remove php but obviously question marks are being used to specify something else (everything between maybe?).

All and all, I would like to just repeat the preg_replace above to remove all php, object, applet, meta, form, onmouseover and anything else that could be potentially dangerous...

redroy : There is an useful link on the preg_replace page :

http://www.mkssoftware.com/docs/man5/regexp.5.asp

It should help with understanding regular expressions.

----
If wishes were fishes, we'd all cast nets.

I lied... ended up going with strip_tags() after all... I took this bit 'o functions and turned it into something I understand a little better:

$allowedTags = '<b><i><u><a><div><img><ul><li><hr><blockquote>';
$stripAttrib = 'javascript:|onclick|ondblclick|onmousedown|onmouseup|onmouseover|onmousemove|onmouseout|onkeypress|onkeydown|onkeyup';

function stripData($string)
{
	global $allowedTags, $stripAttrib;
	while($string != strip_tags($string, $allowedTags))
	{
		$string = strip_tags($string, $allowedTags);
	}
	while($string != stripslashes(preg_replace("/$stripAttrib/i", 'FORBIDDEN', $string)))
	{
		$string = stripslashes(preg_replace("/$stripAttrib/i", 'FORBIDDEN', $string));
	}
	return $string;
}

Seems to work pretty well. I'd appreciate any pointers if this doesn't look quite right to anybody. thanks!

you know... you can use the admin log to restore deleted threads!

Ack I was looking in the admin I thought that was there somewhere.



.:[ Never resist a perfect moment ]:.

ok.. ->adminlog, look for the appropriate row, 'show details', then 'restore deleted object' would be the way to go.

Crap... I've run into a small problem. The stripData function I posted above is working wonderfully if things are coded correctly... the problem is, for example, if a user types a tag wrong like...

<a name="anchor"</a>

...everything below that error is gone (poof!). How could I make it a little more dummy proof?