I have an admin block on my site in which users edit information about themselves. And there is a text field to which I attached the editor (TINYMCE), but it turns out that all tags work correctly htmlspecialchars no longer apply.

And accordingly, from this the possibility appeared that the user could enter some kind of script and run it ...

How to be in this case?

  • why htmlspecialchars not suitable? What kind of protection do you need? from SQL injection, or xss? - nolka
  • htmlspecialchars is not suitable because the tags must be left !!!! and ban only <script> ... </ script> - makan

1 answer 1

Before saving to the database, delete the scripts regularly, for example

$text = preg_replace('|<script.*</script>|Uis', '', $text); 

Or, much better, use strip_tags , for example:

 $allowed_tags = '<br><div><span>'; //Перечислите теги которые можно НЕ удалять $text = strip_tags($text, $allowed_tags); 
  • Thank you very much!! In principle, I thought about the regular schedule, but I would do it with the help of strip_tags (); - makan
  • Paul, hello! I tried to do it through the regular program .. And there is one problem, if the script is not written in one line, the variant of the regular function that you suggested does not fit, I tried to modify it myself, but something did not work out. If not difficult, tell me what to add to the regular season? In general, I did this: $ text = preg_replace ('| <script> | i', '', $ text); $ text = preg_replace ('| </ script> | i', '', $ text); At least I kill the <script> tag itself so that it does not start ... - makan
  • @makan edited your answer, try it now. Everything works fine for me. - Pavel Vershinin
  • just replace '<script' with '& # 60; script' for display this will not affect in any way but the script will not work anymore. And don't forget the '</ script' - KARTOH
  • Thank you very much, I will try !! - makan