Stripping out html tags / Security

I would allow only basic tags like bold or italic ( up to 4-5 ), as common user probally won't bother with other anyway...but it depends on the stucture of your page and the whole idea. In such case you wouldn't have problems with <script> tags... Just scan the string and remove everything with <> except for tags you want to allow.

cheers

here's a UDF that could help. just modify the badTags and badEvents list to suit your needs.

<cfscript>
/**
 * Removes potentially nasty HTML text.
 * Version 2 by Lena Aleksandrova - changes include fixing a bug w/ arguments and use of REreplace where REreplaceNoCase should have been used.
 *
 * @param text        String to be modified. (Required)
 * @param strip        Boolean value (defaults to false) that determines if HTML should be stripped or just escaped out. (Optional)
 * @param badTags        A list of bad tags. Has a long default list. Consult source. (Optional)
 * @param badEvents        A list of bad HTML events. Has a long default list. Consult source. (Optional)
 * @return Returns a string.
 * @author Nathan Dintenfass (nathan@changemedia.com)
 * @version 3, March 19, 2003
 */
function safetext(text) {
      //default mode is "escape"
      var mode = "escape";
      //the things to strip out (badTags are HTML tags to strip and badEvents are intra-tag stuff to kill)
      //you can change this list to suit your needs
      var badTags = "SCRIPT,OBJECT,APPLET,EMBED,FORM,LAYER,ILAYER,FRAME,IFRAME,FRAMESET,PARAM,META";
      var badEvents = "bgcolor,onClick,onDblClick,onKeyDown,onKeyPress,onKeyUp,onMouseDown,onMouseOut,onMouseUp,onMouseOver,onBlur,onChange,onFocus,onSelect,javascript:";
      var stripperRE = "";
      
      //set up variable to parse and while we're at it trim white space
      var theText = trim(text);
      //find the first open bracket to start parsing
      var obracket = find("<",theText);            
      //var for badTag
      var badTag = "";
      //var for the next start in the parse loop
      var nextStart = "";
      //if there is more than one argument and the second argument is boolean TRUE, we are stripping
      if(arraylen(arguments) GT 1 AND isBoolean(arguments[2]) AND arguments[2]) mode = "strip";
      if(arraylen(arguments) GT 2 and len(arguments[3])) badTags = arguments[3];
      if(arraylen(arguments) GT 3 and len(arguments[4])) badEvents = arguments[4];
      //the regular expression used to stip tags
      stripperRE = "</?(" & listChangeDelims(badTags,"|") & ")[^>]*>";      
      //Deal with "smart quotes" and other "special" chars from MS Word
      theText = replaceList(theText,chr(8216) & "," & chr(8217) & "," & chr(8220) & "," & chr(8221) & "," & chr(8212) & "," & chr(8213) & "," & chr(8230),"',',"","",--,--,...");
      //if escaping, run through the code bracket by bracket and escape the bad tags.
      if(mode is "escape"){
            //go until no more open brackets to find
            while(obracket){
                  //find the next instance of one of the bad tags
                  badTag = REFindNoCase(stripperRE,theText,obracket,1);
                  //if a bad tag is found, escape it
                  if(badTag.pos[1]){
                        theText = replace(theText,mid(TheText,badtag.pos[1],badtag.len[1]),HTMLEditFormat(mid(TheText,badtag.pos[1],badtag.len[1])),"ALL");
                        nextStart = badTag.pos[1] + badTag.len[1];
                  }
                  //if no bad tag is found, move on
                  else{
                        nextStart = obracket + 1;
                  }
                  //find the next open bracket
                  obracket = find("<",theText,nextStart);
            }
      }
      //if not escaping, assume stripping
      else{
            theText = REReplaceNoCase(theText,stripperRE,"","ALL");
      }
      //now kill the bad "events" (intra tag text)
      theText = REReplaceNoCase(theText,(ListChangeDelims(badEvents,"|")),"","ALL");
      //return theText
      return theText;
}
</cfscript>


<cfset string = "<html><body bgcolor='black'>this is some <b>text</b> that I wrote.<br><script>window.alert('boo');</script></body></html>">
<cfoutput>
#safetext(string)#
</cfoutput>

one thing i just want to ask, is why are you worried about a user messing up thier own auction?   my thought would be who cares?  they paid for it, and they can make it unreadable if they want.  its not like they'll be able to do anything that would harm a viewers computer.

but if you do care, i'd go with jyokums... that looks good to me.

Hi All,

Thanks for the great comments i'm going to try them all out today and see how we go!

Cheers,
Brad

Anand, thanks for the information on those tags, they allow you to submit exactly what the user types rather than HTML. This does take out the security problems but means that the user can't enter HTML.

jyokum, the code looks good and is a great way to take out bad tags. It is halfway to where i wanted to be.

Looking at

http://www.cfdev.com/activedit/

It looks pretty much like what I am looking for (with the exception that the cost is slightly prohibitive). It is the best of what is available along the lines of an html editor at the moment? Is there anything like this which is as good but cheaper or is this the best solution available?

It does also take out all code that is Non-HTML as well as dangerous tags inside html.

Thanks for all the different answers guys!

Cheers,
Brad

If you check out my bottom link, it was to a barebones javascript/dhtml version of active edit.

Thanks crosen, I did have a look at it but unfortunately because of my level of coding skill I am looking more towards a complete solution that needs minimal customisation if possible.

Cheers,
Brad

The list of bad tags can be never ending - aint it ???

what ive used is the same logic as used on EE i guess - thats why whatever code we write -
appears as it is ... without getting executed

why on earth - wld u want users to enter GOOD HTML TAGS ???

K'Rgds
Anand

Hi anand,

Lol well you definitely have a point there that many many tags can be used badly but I guess you have to decide where the tradeoff is between letting the user have their pretty bold and italic text and security problems!

Cheers,
Brad

Or you can just add an approval layer, emailing that this user updated/added his body content, and it may/may not contain html code. Then you can hand edit it if it contains bad html or not.

Imagine if EE was to go thru the BAD & GOOD HTML tags ... & decide what has to go up & what shldn't .............

depends on what u require & what functionalities u want to open up to users

its teh way u look at it :)

K'Rgds
Anand

Hi Guys,

Well its seems like we're going to use Activedit I think. I will probably use your tag as well jyokum but for a bad word filter (working on it later) rather than a bad tag filter.

Cheers to all for the help!

Brad

I have a pretty good word filter if you're interested.

Sure, if you've got some code would love to have a look at it!

Cheers
Brad

Usage would be something like
<cfoutput>
#pottyMouth(myString)#
</cfoutput>





<cfscript>
/**
 * Searches for unwanted words and replaces them with a different string
 * Original version by Jeff Yokum
 *
 * @param dirtyString      The string to be searched. (required)
 * @param wholeWords       Matchs whole words only if set to true. Default is true (optional)
 * @param ignoreCase       Ignores case if set to true. Default is true (optional)
 * @param replaceWith      The character to use when replacing of the unwanted word. Default is **** (optional)
 * @param wordList         An optional comma delimited list of words to search for. This will replace the default list (optional)
 * @return Returns a string.
 * @author Jeff Yokum (jyokum<.AT.>yahoo<.DOT.>com)
 * @version 1, July 13, 2003
 */
function pottyMouth(dirtyString){
      var wholeWords = true;
      var ignoreCase = true;
      var replaceWith = '****';
      /*
       * The only reason the word list is encrypted here is to protect the eyes
       * of sensitive programmers or those who may stumble upon this code.
       * When using this UDF, you can set wordList to the list of words you want
       * to replace and the encryptedList variable can be removed.
       */
      var encryptedList = '111C07581D11021A580A180600581F050C1F581F050C1F1D171743161D0D130758040C031C0D5817190813110B5C0C011A0D';
      var wordList = cfusion_decrypt(encryptedList,"potty"); // this is the list of words we don't want
      var pattern = "";
      
      if(ArrayLen(arguments) gte 2) wholeWords = arguments[2];
      if(ArrayLen(arguments) gte 3) ignoreCase = arguments[3];
      if(ArrayLen(arguments) gte 4) replaceWith = arguments[4];
      if(ArrayLen(arguments) gte 5) wordList = arguments[5];
      
      pattern = "(" & ListChangeDelims(wordList,"|",",") & ")";
      if(wholeWords) pattern = "\b" & pattern & "\b";
      if(ignoreCase) pattern = "(?i)" & pattern;
      return REReplace(dirtyString,pattern,replaceWith,"ALL");
}
</cfscript>