Disable Javascript Entry Into Form

I'm creating a 'HTML editor' for a webpage of mine. At the moment, I only want the editor to allow entry of HTML and CSS elements and not Javascript (or Jquery for that matter). I'

Solution 1:

I'd recommend using a sanitization library, like HTML Purifier, since just stripping <script> tags isn't enough to prevent XSS attacks, since JS can be automatically executed using attributes like onLoad, onMouseOver, onUnload, etc.

To remove tags, and allow some, you can use PHP's strip_tags() function, but it doesn't strip the attributes, hence my recommendation for a HTML sanitization library. If you're able to run it, perhaps one of the best choices is Google's Caja library, albeit it doesn't work in shared hosting environments since it's written in Java, but it can be hosted on Google's AppEngine.

Also, simple regex solutions aren't always reliable, since even malformed tags can still be parsed. For example, <script > wouldn't be caught by simple regex detection of normal script tags unless it's looking for spaces after the tag name. It's possible to check for this, but using an established library would save you time, and would give you the added bonus of a battle-tested library.

Example: Script Tags with Spaces producing an alert

Solution 2:

You could you a regexplike this

echo preg_replace('/<script\b[^>]*>(.*?)<\/script>/is', "", $var);

source: https://stackoverflow.com/a/1886842/2046700

or as stated us a libary to do this for you such as: http://htmlpurifier.org/

another possible example:

<?php    
   $javascript = '/<script[^>]*?javascript{1}[^>]*?>.*?<\/script>/si'; 
   $noscript = '';    
   $document = file_get_contents('test.html'); 
   echo preg_replace($javascript, $noscript, $document);  
?>

Solution 3:

Whitelist tags you permit, and attributes you permit, then remove everything else. You can use DOMDocument for this.

I wrote this piece of code once but never had anyone else review it

function legal_html($str, $tags='<a><b><br><i><span><table><tbody><tr><td><thead><th><img>', $attribArray=false) {
    if ($attribArray===false) {
        $attribs = array('id','class','src','href','alt');
    } else {
        $attribs = $attribArray;
    }
    $stripped = strip_tags($str,$tags);
    $dom = new DOMDocument();
    @$dom->loadHTML('<div>'.$stripped.'</div>');
    foreach ($dom->getElementsByTagName('*') as $node) {
        for ($i = $node->attributes->length -1; $i >= 0; $i--) {
            $attrib = $node->attributes->item($i);
            if (!in_array($attrib->name,$attribs)) $node->removeAttributeNode($attrib);
        }
    }
    $stripped = $dom->saveHTML();
    $start = strpos($stripped,'<div>')+5;
    $end = strrpos($stripped,'</div>');
    $stripped = trim(substr($stripped,$start,$end-$start));
    return $stripped;
}

Solution 4:

You can use something likes this-

$content=$_POST['textbox'];

if(strpos($content,'<script>')!==false){
//show error;
}
else{
//proceed with work;
}