Saturday, December 20, 2008

strip_tags()

This week we're recreating a PHP function that is extremely important for sanitizing user input. All HTML/ASP/PHP tags are stripped outright; there is no support for a whitelist of allowed tags. A whitelist can be very dangerous without much more rigorous testing to check for script-related exploits. A safer solution would be to force the user to use something like UBB code or Markdown and convert to HTML on the backend.


ASP

  1. function strip_tags(unsafeString)
  2.     dim regEx
  4.     set regEx = new RegExp
  6.     with regEx
  7.         .Global = true
  8.         .IgnoreCase = true
  9.         .Pattern = "(\<(/?[^\>]+)\>)"
  10.     end with
  12.     strip_tags = regEx.Replace(unsafeString, "")
  14.     set regEx = nothing
  15. end function

View ASP implementation on Snipplr

Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)