I once read that strip_tags (or a function with a similar name) is not safe. Is it true?
|
2 answers
There are two comments on the manual page , one of which is:
Due to the fact that strip_tags () does not parse HTML syntactically, unclosed tags in a string can cause the function to remove extra pieces of text.
For example:
echo strip_tags("<p>Trolole<p olole"); // "Trolole". echo strip_tags("<p>Trolole<madtag olole"); // То же самое Another warning is that
This function does not remove any attributes of the allowed tags (argument allowable_tags), including style, onmouseover, etc., which can also be created by an unexpected file.
For example:
echo strip_tags("<b onmouseover=\"alert('hack!')\">сайт взломан</b>", "<b>"); PS: see comments.
ivkremer ivkremer
2.613 eight 15
- Well, it is possible to talk about many functions ... And such exceptions (attributes, etc.) should be processed separately and again, this is also obvious ... about unclosed tags - this is absolutely normal and logical ... - Zowie
- Well in
htmlspecialchars();in fact, there are no exceptions. And on her page (which is typical) there are no warnings. You can’t say so about her, because it is safe - it is impossible to pierce. - ivkremer - Well, the text of the type
<b><h1>текст<span>текст</span>></h1><b>also not okay :) :) - Zowie - oneWell, it’s necessary to understand <br> so that I don’t write everything vseravno everything needs to be tested by myself & copy; - Zowie
- oneShe is still very fond of her mat filters - don't use such a construction in them) $ text = 'this is <b> to </ b> <s> e </ s> <span> there is a filter </ span> =)'; if not_mat ($ text) then add_in_base (strip_tags ($ text)); I apologize if the example is too "live" (._.) - Sh4dow
|
Looking at what you mean by "insecurity", if you are about whether it will cut the tags - yes, it will. Is it a solution to all security problems, etc.? - not...
Actually, and how can it be unsafe then?
Zowie zowie
12.7k 15 38
- So I got the name wrong ... - nick777
|