ChipmunkNinja
Ninjas are deadly. Chipmunk Ninjas are just weird.
About this blog
Marc Travels
Marc on Twitter
JustLooking on Twitter

Marc Wandschneider is a professional software developer with well over fifteen years of industry experience (yes, he really is that old). He travels the globe working on interesting projects and gives talks at conferences and trade shows whenever possible.

My Publications:

My book, "Core Web Application Programming with PHP and MySQL" is now available everywhere, including Amazon.com

My "PHP and MySQL LiveLessons" DVD Series has just been published by Prentice-Hall, and can be purchased on Amazon, through Informit, or Safari


ABCHKMPRaRoSTVW
xxxxx-xxxxxxxxx
Jul 08, 2006 | 21:22:51
StripTags 1.0 Released
By marcwan

Download version 1.0 of StripTags for PHP5

After some further development over the last couple of weeks, I have released version 1.0 of the StripTags class for PHP.

This class is designed to replace the strip_tags function in PHP, which does not work particuarly well. It serves to help website authors avoid cross-site-scripting (XSS) attacks in user-created content, for sites such as blogs or forums where users can enter entries, articles, or comments.

You can read more about the class and XSS in general in the following article:

Helping Prevent XSS Attacks in PHP5

The big new feature change in this version of the class is the ability to find XSS attacks injected via unicode-enrypted attributes, such as:


<IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;
      &#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>

We now successfully find these and neutralise them by inserting extra junk in the attribute string so that they are not processed by client browsers.

Please note that this class is not a 100% complete solution to XSS. We do not handle all of the ways that XSS can be achieved through CSS and other forms of style (and thus always recommend that you not permit users to enter STYLE elements or “style” attributes on other elements). Solving this problem requires significant amount of work and effort, and I believe that if you want to give users that degree of input control, you should have them use a Wiki-language engine such as Textile.

The README and INSTALL documents have full information on how to use the class as well as what it does and does not do.

As always, please feel free to email me with any questions, comments, or bug reports. I’ll fix the latter as quickly as I can.

Download version 1.0 of StripTags for PHP5

Comments (1) Add Comment | Tags: PHP XSS tags strip_tags cross site scripting striptags strip
test
Posted By: test Mar 15, 2009 06:17:34
<script>alert('ddd')</script>
Add a Comment

Title:

Name:

URL:

Comment:

Copyright © 2005-2008 Marc Wandschneider All Rights Reserved.