Anyone know how to Block JavaScript from being run in HTML Comment Editors

farmerjoe · 02-05-2007, 06:45 PM

I have a website in which I would like to allow users the options to write articles using an in-browser text editor that allows html tags. The only problem is that currently, users are able to paste javascript into the editor. This obviously poses a security risk in that haxx00rs could backpack malicious code within comment or article posts. Any one have a simple solution to blocking javascript from being parsed with the posts? Or maybe there is a better way? Please help guys!

unSpawn · 02-06-2007, 05:21 AM

Check out this LQ topic?: The Problem With PHP Application Security. It's about filtering.

farmerjoe · 02-06-2007, 11:04 AM

Thanks for the lead! Will this work to filter javascript as well?

unSpawn · 02-06-2007, 11:56 AM

a) It's meant as something to look into wrt filtering in general
b) I don't know. Depends on what you filter input with I guess.

farmerjoe · 02-07-2007, 07:02 PM

thanks for the help. Anyone else got any tips / opinions?

graemef · 02-07-2007, 11:14 PM

If you are playing around with PHP then you may want to look at the php function strip_tags(). This will remove HTML tags from the string, but you can add an exception list of allowable tags. Comments are always stripped, which is probably what you are looking for. This way you can restrict the number of allowable HTML tags that your submitters can use.

farmerjoe · 02-08-2007, 03:40 PM

Heres a better explanation:

We can remove and preg_replace the the javascript <script> tags easily enough.

The problem comes when someone copies html into a comment or article posting that's like this:

</div>
<div> hello world</div>

in which that first tag will close the stuff above it.

In essence, we want to allow people to include HTML in comments and article postings, but we want to make sure the HTML is clean and well formatted so it doesnt mess up the rest of the site.

We would rather not have to write an HTML parser from scratch because we want to allow ALL html tags to be allowed. This would cause us to have to reference the entire HTML tag library.

Maybe someone has already written a solution to this problem?

graemef · 02-09-2007, 07:48 AM

You can use the XML methods to verify the code but why not use BBCode?

farmerjoe · 02-13-2007, 02:57 PM

Ok. I might have found a quick solution to this. There is a library available in PHP5 called HTML Tidy. I think this will "tidy" our HTML by correct any tag errors.