SitePoint Sponsor

User Tag List

Results 1 to 8 of 8

Hybrid View

  1. #1
    SitePoint Member
    Join Date
    Dec 2001
    Posts
    6
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Closing Tags Out

    Hi,

    I have made a forum of my own and allow members to have signatures. However, if they mess up the HTML in the signature, the rest of my page gets messed up, as they maybe forgot to close out a tag or something of that nature. Any suggestions on how to deal with this? (besides not allowing HTML in the signatures which is what I'm doing now...)

    I'm sorry if this has already been asked, I searched and couldn't find anything specific to this. Thanks for any help!

  2. #2
    No. Phil.Roberts's Avatar
    Join Date
    May 2001
    Location
    Nottingham, UK
    Posts
    1,142
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Fraid not. If you're gonna grant your users that kind of freedom then you're essentially trusting them to know what theyre doing. There are too many way to, for example, screw up table code to guard against it in any useable way.

    Having said that there IS a PHP class available on the net that can filter out specific html tags. This might be of use to you if you want to restrict your users to basic text-formatting and deny them the use of tables and javascript and the like.

    I still have the files, I can zip them up and email them if you like.
    THE INSTRUCTIONS BELOW ARE OLD AND MAY BE INACCURATE.
    THIS INSTALL METHOD IS NOT RECOMMENDED, IT MAY RUN
    OVER YOUR DOG. <-- MediaWiki installation guide

  3. #3
    You talkin to me? Anarchos's Avatar
    Join Date
    Oct 2000
    Location
    Austin, TX
    Posts
    1,438
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Make your own pseudo-html and only parse the tags if the closing tag is there. For example:
    $text = preg_replace("/\[&#098;](.*)\[\/&#098;]/Ui","<b>$1</b>",$text);

    This will only turn the text bold if the closing [/b] is there. Make sure at the beginning that you convert all <'s to &amp;lt;'s
    ck :: bringing chris to the masses.

  4. #4
    SitePoint Wizard
    Join Date
    Oct 2001
    Location
    Tucson, Arizona
    Posts
    1,858
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    It's a security hole to enable HTML in sigs or forums at all, so I'd just turn it off.

  5. #5
    You talkin to me? Anarchos's Avatar
    Join Date
    Oct 2000
    Location
    Austin, TX
    Posts
    1,438
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    What makes it a security hole?
    ck :: bringing chris to the masses.

  6. #6
    SitePoint Wizard iTec's Avatar
    Join Date
    May 2001
    Location
    Sydney, Australia
    Posts
    2,243
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally posted by Anarchos
    What makes it a security hole?
    we can start with javascript, allow javascript and they can pop-up windows ect ect, redirect users to there own website ect ect

  7. #7
    You talkin to me? Anarchos's Avatar
    Join Date
    Oct 2000
    Location
    Austin, TX
    Posts
    1,438
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    That's not a security hole, but you can just replace <script with "". Besides that, my whole point was to not allow HTML, and instead create a pseudo-html parser.
    ck :: bringing chris to the masses.

  8. #8
    SitePoint Wizard
    Join Date
    Oct 2001
    Location
    Tucson, Arizona
    Posts
    1,858
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    It's not secure because on some BBS software, you can gain access to the admin's/mod's passwords or other people's passwords. It's not pretty.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •