Saturday, December 20, 2008


This week we're recreating a PHP function that is extremely important for sanitizing user input. All HTML/ASP/PHP tags are stripped outright; there is no support for a whitelist of allowed tags. A whitelist can be very dangerous without much more rigorous testing to check for script-related exploits. A safer solution would be to force the user to use something like UBB code or Markdown and convert to HTML on the backend.


  1. function strip_tags(unsafeString)
  2.     dim regEx
  3.     set regEx = new RegExp
  4.     with regEx
  5.         .Global = true
  6.         .IgnoreCase = true
  7.         .Pattern = "(\<(/?[^\>]+)\>)"
  8.     end with
  9.     strip_tags = regEx.Replace(unsafeString, "")
  10.     set regEx = nothing
  11. end function

View ASP implementation on Snipplr

No comments: