I've taken a look at MyBB's method of removing HTML, and it's not helping me. What's a good way to prevent XSS attacks, etc?
For example:
$input = "javascript:alert(document.cookie)";
echo "<a href=\"$input\">Something here</a>";
That will alert the cookie value, obviously.
I hope I've explained my problem clearly.
Thanks
Are you looking at this being posted in a post? Because mybb doesn't allow PHP in posts, and there is an option I disable HTML in posts too
(2012-01-03, 02:55 PM)Tom K. Wrote: [ -> ]Are you looking at this being posted in a post? Because mybb doesn't allow PHP in posts, and there is an option I disable HTML in posts too
I mean for general PHP development. I was taking a look at how MyBB prevents these kind of attacks, but it started confusing me.
Sorry if I'm explaining my problem wrong :p
you can use htmlentities($str,ENT_NOQUOTES) to block HTML input (will convert < to <, > to >, and convert quotes.
MyBB's function is htmlspecialchars_uni(). You'll see it used in the php files everywhere.
MyBB uses htmlspecialchars_uni in places where UTF-8 characters may be used and will sanitize HTML and of course JavaScript won't run. However, if you just want to strip JavaScript there are multiple ways of doing it, one of them being through regex - that's how the parser does it.
You should look into
http://htmlpurifier.org/