how to filter textboxes or fields from xss

sarmenhb · 02-18-2008, 06:04 PM

i have a form with textboxes, textarea, and other fields.

how do i filter from having a user enter html or javascript or any other markup besides addslashes ?

TlcAndres · 02-18-2008, 06:07 PM

htmlentities and the like

sarmenhb · 02-18-2008, 06:14 PM

cool thnx

im wondering how to filter like myspace does for example if you do use it.

if you edit your profile and enter javascript for example

<script>alert(something);</script> and when you save your profile

myspace outputs it like this: ..alert(something);..
it converts javascript markup to dots.

TlcAndres · 02-18-2008, 06:17 PM

PHP Code:


			
$array = array('<script>'=>'...','</script>'=>'...');

$string = '<script>alert(something);</script>';

$nS = str_replace(array_keys($array),array_values($array),$string);

echo $nS;

Kalle · 02-18-2008, 07:38 PM

Use the php filter extension:

PHP: Filter - Manual

dylanfm · 02-18-2008, 09:58 PM

Or this glorious thing: HTML Purifier - Filter your HTML the standards-compliant way!