-
August 1st, 2009, 04:19 PM
#1
Myspace-Like HTML Stripping
Alright, I'd like to allow users to post comments with HTML, but also avoid things like abuse via scripts, iframes, and inline events.
How would I do this?
-
August 1st, 2009, 10:21 PM
#2
Re: Myspace-Like HTML Stripping
Why don't you pull the "CSS hidden input" trick? Don't make the input type as hidden because most bots won't change those. However, if you change one by CSS, then they will attempt to post data with that name.
Code:
<input type="text" name="lastname" value="" style="display: none" />
If the post was helpful...Rate it! Remember to use [code] or [php] tags.
-
August 3rd, 2009, 09:46 AM
#3
Re: Myspace-Like HTML Stripping
Only allow a certain range of html tags that can run without parameters
Than you can use regular expressions to check if the tags are clean.
Because you have to avoid these type of entries
Code:
<p onmouseover="eviljavascript.running;">blabla</p>
<img src="http://maliciousdomain.whatever/badscript.php">
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|