I have a forum where all user-supplied text
(posted to the forum) is cleaned with htmlentities($m sg) before sending
it back to incoming GET requests.
I want to allow image uploads to registered users.
That much (allowing uploads if registered) is straightforward .
But if all my user-supplied output is scrubbed with htmlentities
first, then the img tags aren't tags, and no image will show.
How do forums (that do allow image uploads) deal with this?
Do they leave user-supplied text unchecked? Or use some
sort of a regular expression to scrub everything inside
user-supplied text except the image tags? 2 1534
pittendrigh wrote:
I have a forum where all user-supplied text
(posted to the forum) is cleaned with htmlentities($m sg) before
sending
it back to incoming GET requests.
I want to allow image uploads to registered users.
That much (allowing uploads if registered) is straightforward .
But if all my user-supplied output is scrubbed with htmlentities
first, then the img tags aren't tags, and no image will show.
How do forums (that do allow image uploads) deal with this?
Do they leave user-supplied text unchecked? Or use some
sort of a regular expression to scrub everything inside
user-supplied text except the image tags?
They usually allow a very restrictive set of HTML, indeed enforced by reglar
expressions.
You could use strip_tags(), but I normally want to allow/forbid attributes
as well, then a regular expression wil have to do the work.
Grtz,
--
Rik Wasmus
I strongly suggest that you have a look at the InputFilter class at http://www.phpclasses.org/browse/package/2189.html
PHP Input Filter is a class that can filter input for stray or malicious PHP, JavaScript, or HTML tags. It can be used to prevent cross-site scripting (XSS) attacks. It should be used to filter input supplied by the user, such as HTML code entered in form fields. You have control over the filter process unlike other alternatives, and can input a string or an entire array to be cleaned (such as $_POST).
It is GPL and it has a 85.5% rating from users.
For you it is important that you can specify exactly what tags are allowed (in your case e.g. <img>).
Good luck! - Ronald :cool:
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: Ben |
last post by:
Hey all,
I've been wondering what you can do to make user inputted text safe for
input to a database, which will then be echoed back to a browser at
some point. Currently I'm running it through the following functions:
nl2br, htmlentities and stripslashes (if magic quotes is off). Is there
anything else I should test for before inserting into my table?
Ben.
|
by: Hal Halloway |
last post by:
I want a text editor inside a form's textarea,
So I would see html markup and html entities - just like a text editor.
I also would want to be able to edit it all just like a text editor -
this is done in PHPMyadmin for example...is there an easy way to do this?
In a way i'm asking the browser to suspend rendering markup.
|
by: panche |
last post by:
I'm developing a fairly simple user control that has two textboxes for
date/time entry (a from date/time and a to date/time). One of my
requirements is that there should be no button that sets these values (i.e.,
no button to cause a postback). The problem I'm having is that I need a
number of validations to be performed on the data entry, but I don't know
how to do this without having the user control/page posted back to the
server. ...
|
by: Bob Bedford |
last post by:
I've to send many emails using a script that refresh every n seconds to
avoid server timeout (can't be bypassed).
Now, I've a loop wich detects how long does the script (a loop) takes to
run. If the script is close to the 25 seconds, then I redirect to itself
passing some values.
One of the value is some html code. Then I get it in variable, add some
text and so on, until threre is no more values in the database.
|
by: Mike |
last post by:
Hi all,
In my recent ASP.NET 2.0 appl, I need to verify that the supplied email address is valid or not. So, here's my situation:
- In my <profilearea, I created <isVerifiedproperty.
- Suppose a new user has been created. I set the profile.isverified to false.
OnCreatedUser event I'll send him an email (to the supplied email address) to verify their email address with a link in it to an ASPX page that'll do the verification, e.g:...
| |
by: jl |
last post by:
>From the php manual I copied and pasted this example:
<?php
$str = "A 'quote' is <b>bold</b>";
// Outputs: A 'quote' is <b>bold</b>
echo htmlentities($str);
// Outputs: A 'quote' is <b>bold</b>
echo htmlentities($str, ENT_QUOTES);
|
by: Garry Jones |
last post by:
I asked this earlier and received a tip of going to Joomla. Problem is
according to the gurus in their forums I need to rewrite the entire site so
that Joomla becomes the core. As I am on 700+ pages its not practical as I
only need to open up two pages for user editing.
I have a website consisting of pages made up of php segments using the
include statement. The top, left and right panels are static and the text in
the center changes...
|
by: Alfred |
last post by:
I want to post text field data from these HTML TEXTAREA tags to a
PostgreSQL database and have it reappear back on another page exactly
as I had typed it. Over the years I have done this but only did it
with simple text. This time around, I want to handle much more complex
text. I need to preserve some kinds of features.
(Yes, I have turned off magic quotes.)
- Need to strip diacritics. I learned I could use htmlentities to
catch...
|
by: hotrod57 |
last post by:
I am trying to append the results from a form to a text file. My code is supposed to print out the results on one page, and append the results to another page each time data is entered on the form and the submit button is hit. Unfortunately, it is only printing out the message acknowledging the submit button--no data on either form. Here is the code below, please help if you can.
PHP code that reads the form submission:
<?php
function...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
| |
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |