Comments on: Filtering Out Unwanted XHTML/HTML Tags http://addictedtonew.com/archives/72/filtering-out-unwanted-xhtmlhtml-tags/ John Nunemaker\'s thoughts and such Sun, 01 Nov 2009 17:19:15 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: Santosh Patnaik http://addictedtonew.com/archives/72/filtering-out-unwanted-xhtmlhtml-tags/comment-page-1/#comment-125954 Santosh Patnaik Sat, 02 Feb 2008 21:37:55 +0000 http://addictedtonew.com/?p=72#comment-125954 Try <a href="http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/index.php" rel="nofollow">htmLawed</a>. Besides filtering admin-specified HTML tags, attributes, etc., it can also balance and properly nest HTML tags, transform deprecated tags and attributes, and so on. Try htmLawed. Besides filtering admin-specified HTML tags, attributes, etc., it can also balance and properly nest HTML tags, transform deprecated tags and attributes, and so on.

]]> By: John Nunemaker http://addictedtonew.com/archives/72/filtering-out-unwanted-xhtmlhtml-tags/comment-page-1/#comment-116974 John Nunemaker Mon, 24 Dec 2007 16:46:42 +0000 http://addictedtonew.com/?p=72#comment-116974 It's linked in the post. It’s linked in the post.

]]> By: Rex http://addictedtonew.com/archives/72/filtering-out-unwanted-xhtmlhtml-tags/comment-page-1/#comment-116467 Rex Sat, 22 Dec 2007 04:30:17 +0000 http://addictedtonew.com/?p=72#comment-116467 Where is the InputFilter class???? Where is the InputFilter class????

]]> By: Arne Kuilman http://addictedtonew.com/archives/72/filtering-out-unwanted-xhtmlhtml-tags/comment-page-1/#comment-55849 Arne Kuilman Wed, 24 Jan 2007 23:46:44 +0000 http://addictedtonew.com/?p=72#comment-55849 I think I am just entering the XSS realm... but don't need and comprehend input filtering completely. I am just looking for a way to secure posted data in a URL after a form entry such as: index.php?name=user and hiding the variables in the URL. It has something to do with SESSIONS or cookies, but I can't find some easy examples to start off with. As a PHP newbie these classes and input filters are very daunting. I think I am just entering the XSS realm… but don’t need and comprehend input filtering completely. I am just looking for a way to secure posted data in a URL after a form entry such as: index.php?name=user and hiding the variables in the URL.
It has something to do with SESSIONS or cookies, but I can’t find some easy examples to start off with. As a PHP newbie these classes and input filters are very daunting.

]]> By: John Nunemaker http://addictedtonew.com/archives/72/filtering-out-unwanted-xhtmlhtml-tags/comment-page-1/#comment-3009 John Nunemaker Fri, 09 Jun 2006 17:36:33 +0000 http://addictedtonew.com/?p=72#comment-3009 @Teddy - Good find. I get nervous just looking at that list. @Teddy – Good find. I get nervous just looking at that list.

]]> By: Teddy http://addictedtonew.com/archives/72/filtering-out-unwanted-xhtmlhtml-tags/comment-page-1/#comment-3008 Teddy Fri, 09 Jun 2006 17:06:03 +0000 http://addictedtonew.com/?p=72#comment-3008 You should check out http://ha.ckers.org/xss.html if you want the low down on XSS. That guy put together the list of all the possible XSSs that are known. I don't think your list solves the problem. For instance you don't even mention the JavaScript directive but you allow A HREF, so you could have JavaScript in a link for instance. Anyway, it's worth a read. You should check out http://ha.ckers.org/xss.html if you want the low down on XSS. That guy put together the list of all the possible XSSs that are known. I don’t think your list solves the problem. For instance you don’t even mention the JavaScript directive but you allow A HREF, so you could have JavaScript in a link for instance. Anyway, it’s worth a read.

]]> By: John Nunemaker http://addictedtonew.com/archives/72/filtering-out-unwanted-xhtmlhtml-tags/comment-page-1/#comment-1262 John Nunemaker Thu, 13 Apr 2006 00:08:47 +0000 http://addictedtonew.com/?p=72#comment-1262 I would search 'XSS' at google. That should give you a wealth of articles. The main idea is that someone inserts <script> tags in a comment form or something which runs a script on another site when the page on your site is loaded. Most browsers now prevent XSS by default. Hope that helps. I would search ‘XSS’ at google. That should give you a wealth of articles. The main idea is that someone inserts <script> tags in a comment form or something which runs a script on another site when the page on your site is loaded. Most browsers now prevent XSS by default. Hope that helps.

]]> By: shareen http://addictedtonew.com/archives/72/filtering-out-unwanted-xhtmlhtml-tags/comment-page-1/#comment-1261 shareen Wed, 12 Apr 2006 23:09:36 +0000 http://addictedtonew.com/?p=72#comment-1261 Hi, I need to actually demonstrate and implement how XSS can be prevented for my dissertation. Can you help, ive read up on it abit and i know that you have to filter the information added to ur web page, but have not got a clue how to do that. Can you pleease help and point us in the right direction bearing in mind i am not very good at programming. Will be awaiting ur response. thankyou Hi,

I need to actually demonstrate and implement how XSS can be prevented for my dissertation. Can you help, ive read up on it abit and i know that you have to filter the information added to ur web page, but have not got a clue how to do that. Can you pleease help and point us in the right direction bearing in mind i am not very good at programming. Will be awaiting ur response.

thankyou

]]> By: John Nunemaker http://addictedtonew.com/archives/72/filtering-out-unwanted-xhtmlhtml-tags/comment-page-1/#comment-260 John Nunemaker Tue, 13 Sep 2005 13:46:15 +0000 http://addictedtonew.com/?p=72#comment-260 @Mike - To remove all tags, I would use <a href="http://us2.php.net/manual/en/function.strip-tags.php" rel="nofollow">strip_tags</a> or <a href="http://us2.php.net/manual/en/function.htmlspecialchars.php" rel="nofollow">htmlspecialchars</a>. Strip_tags strips all the tags from a string and htmlspecialchars encodes special characters such as < and >. This means that any html entered would show up as text rather than actual html. As far as where to use them, I would use them before inserting into the database. Another option would be to use them when displaying the fields on the front side. @Mike – To remove all tags, I would use strip_tags or htmlspecialchars.

Strip_tags strips all the tags from a string and htmlspecialchars encodes special characters such as < and >. This means that any html entered would show up as text rather than actual html.

As far as where to use them, I would use them before inserting into the database. Another option would be to use them when displaying the fields on the front side.

]]> By: mike http://addictedtonew.com/archives/72/filtering-out-unwanted-xhtmlhtml-tags/comment-page-1/#comment-257 mike Tue, 13 Sep 2005 12:28:45 +0000 http://addictedtonew.com/?p=72#comment-257 Not being a programmer, just a web designer who uses a lot of php complete scripts. My sites are real estate agents so I would like to prevent any tags. Could you show me how to do that and then ... How and where would this code be used? Mike Not being a programmer, just a web designer who uses a lot of php complete scripts.
My sites are real estate agents so I would like to prevent any tags.
Could you show me how to do that and then …
How and where would this code be used?

Mike

]]>