Check if HTML contains JavaScript in PHP

Question

Check if HTML contains JavaScript in PHP

I need to check if custom HTML contains any javascript. I use PHP for validation.

Thanks for any help!

+4

javascript html php validation

David 01 Oct '09 at 10:23

source share

5 answers

If you want to protect yourself from Cross-Site Scripting (XSS) scripts, you'd better use whitelist than blacklist . Because there are too many aspects that you need to consider when looking for XSS attacks .

Just create a list of all the HTML tags and attributes that you want to allow, and delete / delete all other tags / attributes. And for those attributes that can be used for XSS attacks, check the values only to ensure harmless values.

+7

Gumbo 01 Oct '09 at 10:36

source share

Well, let not everyone be naive here:

<script> ""; document.write("hello world"); </script> <script> ""; document.write("hello world"); </script> (you should pass the filters suggested by regexadvice)

javascript filtering is a security-critical thing, which means you need to do this carefully and correctly, rather than quickly crack it.

+2

Ojw 01 Oct '09 at 10:40

source share

You can remove script tags since Pawka states use regular expressions. I found the thread on this here .

Mainly:

 $list=preg_replace('#<script[^>]*>.*?</script>#is','',$list);

Code from this page not written by me.

0

KB22 01 Oct '09 at 10:28

source share

You will need to scan the <script> tags, but you will also need to look for attributes such as onclick="" or onmouseover="" etc., which can have javascript without the need for script tags.

0

Evernoob 01 Oct '09 at 10:34

source share

Tom haigh · Accepted Answer · 2009-10-01T10:34:22+0000

It is better to use a different approach and use something like HTML Purifier to filter out everything you don't need. I think it would be very difficult to safely remove any javascript feature without actually parsing the HTML.

Check if HTML contains JavaScript in PHP

More articles: