[Zero Tolerance]

filburt1 - Yeah parsing it properly out is not a concern, in the end it will just check for invalid entries and throw an error then stopping the data from saving, so people know they can't use nasty stuff, and because it will save a lot of processing time instead of trying to strip out some guys billion injection attempts everytime the page with the data is loaded.

Here's the source for the file:

PHP Code:

<font face='verdana'>
The script will parse out:
<ul>
<li>Bad tags (script etc..)</li>
<li>& -> &amp;amp;</li>
<li>\n -> br tag</li>
<li>Generic javascript injection (javascript(s)?:)</li>
<li>Style javascript injection (expression(script here))</li>
<li>Tag Event javascript injection (onload='script')</li>
</ul>

<form action='self.php' method='post'>
Insert html code:</font>
<br />
<textarea name='html' cols='90' rows='8'></textarea>
<br />
<input type='submit' />
</form>

<?php

    function stripBadTags($Code){
    $BadTag[] = "script";
    $BadTag[] = "iframe";
    $BadTag[] = "object";
    $BadTag[] = "applet";
    $BadTag[] = "frame";
    $BadTag[] = "frameset";
    $BadTag[] = "param";
    $BadTag[] = "style";

        foreach($BadTag as $bt){
        $Code = preg_replace("/(<{$bt}|{$bt}>)/i",'',$Code);
        }

    return $Code;
    }

    function ParseHTML($Code){
    // Strip out unwanted tags
    $Code = stripBadTags($Code);
    
    // Generic find & replace parameters, such as bad letters/characters

    $str_replace_find = array(
            '&',
            "\n",
            );

    $str_replace_replace = array(
            '&amp;',
            '<br />',
            );

    // Generic Javascript injection into tags

    $strip[] = array(
            'find'    => '/(javascript(s)?|vbscript(s)?|java(s)?)/i',
            'replace' => 'Active Scripting Disabled',
        );

    // Style javascript injection

    $strip[] = array(
            'find'    => '/expression((.+?))?\((.+?)\)/i',
            'replace' => '',
        );

    // Tag event javascript injection

    $strip[] = array(
            'find'    => '/on[a-zA-Z](.+?)=(\'|")?(.+?[^\'"])(\'|")?/i',
            'replace' => '',
        );

    /*
    $strip[] = array(
            'find'    => '',
            'replace' => '',
        );
    */

    $Code = str_replace($str_replace_find,$str_replace_replace,$Code);

        foreach($strip as $rem){
            while(preg_match($rem['find'],$Code)){
            $Code = preg_replace($rem['find'],$rem['replace'],$Code);
            }
        }

    return $Code;
    }

    if(@trim($_POST['html']) != ''){
    echo ParseHTML(stripslashes($_POST['html']));
    }

?>

- Zero Tolerance