You got the option to allow users to post html tags in posts.
Might I suggest adding an define able list over which tags that actually is allowed to be posted.
So you can use the
strip tags function in php.
or the other way around, to have an list over blocked tags.
The list of blocked tags would be a much better (and simpler) idea, because there are only a few tags that admin would probs like to block.
Lol there are a multitude of tags that you would need to block:
object
frame
iframe
frameset
embed
script
table
tr
td
thead
div
link
html
head
body
title
meta
to name a few...
On the other hand, I also think it would be easier to just allow:
a, b, strong, i, em, u, strike, h1-h6, and be done with it
Of course it depends on what you want your users to do
Yes and an allowed tags would strip the other tags away since probably not everyone knows about every html tag.
I would also much prefer a list of disallowed tags, but either way would still be better than siimply allowing all html tags or none at all the way MyBB does now.
CraKteR Wrote:So you can use the strip tags function in php.
Did you read the warnings and comments on that page? strip_tags() is not an effective way of preventing XSS. It does not remove attributes, so users can still post onmouseover, onclick, style, etc. It also has some other shortcomings.
Just wanted to point that out.
![[Image: msn_tongue.gif]](https://camo.mybb.com/8e201a34384986bfbf562c1b8617ea4ce4429dd3/687474703a2f2f6d736768656c702e6e65742f696d616765732f736d696c6965732f6d736e5f746f6e6775652e676966)
Yes I noticed that. It was an example, it shouldn't be that hard to make an own function, really.