user supplied forum text and htmlentities

**Rik** · Jul 19 '06, 02:45 PM

Re: user supplied forum text and htmlentities

pittendrigh wrote:

I have a forum where all user-supplied text
(posted to the forum) is cleaned with htmlentities($m sg) before
sending
>
it back to incoming GET requests.
>
I want to allow image uploads to registered users.
That much (allowing uploads if registered) is straightforward .
>
But if all my user-supplied output is scrubbed with htmlentities
first, then the img tags aren't tags, and no image will show.
>
How do forums (that do allow image uploads) deal with this?
Do they leave user-supplied text unchecked? Or use some
sort of a regular expression to scrub everything inside
user-supplied text except the image tags?

They usually allow a very restrictive set of HTML, indeed enforced by reglar
expressions.
You could use strip_tags(), but I normally want to allow/forbid attributes
as well, then a regular expression wil have to do the work.

Grtz,
--
Rik Wasmus

**ronverdonk** · Jul 19 '06, 04:28 PM

There is a class for you!

I strongly suggest that you have a look at the InputFilter class at

Access the correct page - PHP Classes

http://www.phpclasses.org/browse/package/2189.html

PHP Input Filter is a class that can filter input for stray or malicious PHP, JavaScript, or HTML tags. It can be used to prevent cross-site scripting (XSS) attacks. It should be used to filter input supplied by the user, such as HTML code entered in form fields. You have control over the filter process unlike other alternatives, and can input a string or an entire array to be cleaned (such as $_POST).

It is GPL and it has a 85.5% rating from users.

For you it is important that you can specify exactly what tags are allowed (in your case e.g. <img>).

Good luck! - Ronald :cool:

user supplied forum text and htmlentities

user supplied forum text and htmlentities

Comment

Comment