UBB.Developers Forums Community Development Programming PHP and Server-side Scripting Cleaning uploaded text for security

I working on a script that will allow users to upload text fields which will be displayed on an HTML page. (Kind of like here, I guess

I want to strip out any HTML, or anything else that could have security risks.

Would this be adequate?
$text =~ s/<.*>//g;

Or is it neccessary to explicitly check for scripting keywords like the UBB does in ubb_library.pl/sub check_html?

I don't know much about perl, but wouldn't it be

$text ~= s/<.*)>//g;

?

Back to the question, removing all HTML tags would be fine, but you might wanna do:

$text ~= s/<(.*?)>/& lt;$1& gt;/g;

without the spaces for & lt; and & gt;.
that'll allow you to display all HTML, but not process it as HTML.

------------------
JohnM - moderator of server side scripting


This message has been edited by JohnM on January 23, 2001 at 04:35 PM

Thanks for the response

I don't understand your first regex:
$text ~= s/<.*)>//g;
Should that be:
$text ~= s/<.*?>//g;
If so, that makes sense, and would be better than the regex I posted, since it would avoid removing text in between HTML tags.

Your second regex is a good idea too. However, I can't think of any good reason to display the HTML, so I'm more inclined to stick with just removing the tags.