How to change all the occurrence of the <script> <Script> <scRipT> <sCrIpT> and so ..
to <script> <Script>
with PHP
I also want to remove
The input will be taken from a WYSIWYG Editor, so i can not use the strip_tags function.
Edit 2
Is there any other way a user can execute a javascript with some kind of strange characters to
I found this on internet
<scr<!--*-->ipt>
alert('hi')
</script>
But it did not worked though, is there any such possibilities ?
Simply removing <script>
tags from untrusted input is not enough to guard against XSS attacks. For example, <a href="#" onmouseover="alert('pwned!');">
– I just put script in your page—without using a <script>
tag—and stole your cookies. Oops.
This is a case where you really need to use a well-tested library that actually parses the HTML and removes the stuff you don't want.
Probably the simplest method would be str_ireplace()
for case-insensitive replacement, however this won't preserve the case of the "sCriPt" word. But if you're out to de-fang XSS attacks that may be just fine:
str_ireplace("<script>", "<script>", $input);
A more complex solution could be devised with preg_replace()
to preserve case, but would be slower. This might work, but if it were me I'd use str_ireplace()
...
preg_replace("/<(script)>/i", "<$1>", $input);
Note: If it is XSS prevention you're after, neither of these takes into account things like <script type=text/javascript>
. To truly handle these cases, you need to load the HTML string into DOMDocument
and delete the offending script nodes.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With