 |
 |
 |
 |
|
|
Date: 07/16/01
- Previous message: VFSA-eRentals: "RE: [PHP] Session questions"
- Maybe in reply to: Ray Dow: "[PHP] RE: html in my form? bad things! help help help!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Once you open up ANY HTML tag to the public you open a huge can of worms and
trouble, like the following for example
<a href="http://php.net" onmousemove="javascript:alert('Blar Blar
Blar');">Click me!</a>
My javascript is not great (I could not think of anything more damaging) but
its pretty clear what the possibilities are.
Strip all tags and use a custom system is my advice
> -----Original Message-----
> From: zerosumzero <email protected> [mailto:zerosumzero <email protected>]
> Sent: Monday, 16 July 1979 3:59 PM
> To: Ray Dow; php-general <email protected>
> Subject: Re: [PHP] RE: html in my form? bad things! help help help!
>
>
> on 7/16/01 2:03 AM, Ray Dow at ray <email protected> wrote:
>
> > Everything removed by strip_tags(), including <a
> href="somelink>click
> > me</a> (you original example)
> >
> > See the problem?
>
> Everything isn't removed if you set it up like this:
>
>
> strip_tags($string,"<a>,<i>,<b>")
>
>
> that part is working fine, it's tags with missing quotes that
> have me worried, like this:
>
> <a href="http://www.someplace.com>My site!</a>
>
>
>
> --
> susan <email protected>
> http://futurebird.diaryland.com
>
>
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: php-general-unsubscribe <email protected> For additional commands, e-mail: php-general-help <email protected> To contact the list administrators, e-mail: php-list-admin <email protected>
- Previous message: VFSA-eRentals: "RE: [PHP] Session questions"
- Maybe in reply to: Ray Dow: "[PHP] RE: html in my form? bad things! help help help!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]