After stripping unwanted tags, what else should I do to text input?

Question

In a PHP script I'm accepting input from the user from a textarea and want to allow a few basic tags. So when I output the string I'm using -

echo strip_tags($content, '<b><i><ul><ol><li>');

Now normally I would use FILTER_SANITIZE_STRING but that would strip all tags and I would use html_entities() but that would prevent the tags I'm passing through from displaying as they should.

So what else do I need to strip or encode and how do I do that?

Answer 1

There are some attributes you probably wish to remove as well such as style. You may also want remove event handlers like onMouseOver and onClick, etc.

Answer 2

I don't think you can rely on strip_tags() for security purposes - from http://php.net/strip_tags:

This function does not modify any attributes on the tags that you allow using allowable_tags , including the style and onmouseover attributes that a mischievous user may abuse when posting text that will be shown to other users.

It might be better to look at something like HTML Purifier or PEAR HTML_Safe, which should be able to do exactly what you want.

Answer 3

you can use this

echo filter_var($string, FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_LOW)

very good tutorial :

http://www.phpro.org/tutorials/Filtering-Data-with-PHP.html#12

Answer 4

I've had success with Cal Henderson's lib_filter in the past, which is a very good lightweight PHP4/5 library for filtering tags and attributes from input. You can specify the allowed tags/attributes via the 'allowed' member variable e.g. the following code sanitizes embed code from sites like YouTube/Vimeo/Flickr etc. but strips out everything else:

        $lib_filter = new lib_filter();
        $lib_filter->allowed = array(
            'object' => array('width', 'height'),
            'param' => array('name', 'value'),
            'embed' => array('src', 'type', 'allowscriptaccess', 'allowfullscreen', 'width', 'height')
        );
        $video = $lib_filter->go($input);

Answer 5

How about this

function stripSingleTags($tags, $string)
{
    foreach( $tags as $tag )
    {
        $string = preg_replace('#</?'.$tag.'[^>]*>#is', '', $string);
    }
    return $string;
}

/*** example usage ***/
$string = '<p>stuff</p><span>more <span class="foo">and even>< more</span> stuff here</span>';

$tags = array('h1', 'span');

echo stripSingleTags($tags, $string);

Source: http://www.phpro.org/examples/Strip-Single-Tag.html

Answer 6

Check your input against the rules mentioned on the XSS cheat sheet. Also from a security stand point, it would be best to familiarize yourself with OWASP Guide to Building Secure Web Applications and Web Services