Menu
I need to check if user submitted HTML contains any JavaScript. I'm using PHP for validation.
919
If you want to protect yourself against Cross-Site Scripting (XSS), then you should better use a whitelist than a blacklist. Because there are too many aspects you need to consider when looking for XSS attacks.
Just make a list of all HTML tags and attributes you want to allow and remove/escape all other tags/attributes. And for those attributes that can be used for XSS attacks, validate the values to only allow harmless values.
169
It might be better to take a different approach and use something like HTML Purifier to filter out anything that you don't want. I think it would be very difficult to safely remove any possibility of javascript without actually parsing the HTML properly.
31
OK, let's not all be naive here:
<script> "<!-- </script> -->"; document.write("hello world"); </script> (should pass the filters suggested by regexadvice)
filtering-out javascript is a security-critical thing, which means you need to do it thoroughly and properly, not some quick hack.
2
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
