hao
Reputation: 57
javascript string replace equivalent on php?
I am trying to prevent xss injection. So before I submit a form, a javascript function is called
function validatefield(id) {
var description = document.getElementById(id).value;
description = description.replace(/[\"\'][\s]*javascript:(.*)[\"\']/gi, "");
description = description.replace(/script(.*)/gi, "");
description = description.replace(/eval\((.*)\)/gi, "");
document.getElementById(id).value=description;
}
I am wonderng if there's a way to do the same in php before inserting into the mysql? if they get around of the validatefield function.
Thanks
Upvotes: 1
Views: 3219
Answers (2)
Matthew Flaschen
Reputation: 284816
Generally speaking, you can use preg_replace for regex replacements in PHP. But there are a few problems with your design
- You shouldn't even bother doing this on the client. It will slow things down without providing security.
- You're removing things that are perfectly safe (e.g. "I wrote a script to do such as such"), while ignoring many actual dangers like onclick attributes (see also XSS Cheat Sheet).
Generally speaking, if you want to allow some form of HTML, a whitelist is a better approach. HTML Purifier is a popular tool for implementing this in PHP.
Upvotes: 3
Chris Clarke
Reputation: 1356
You are looking for preg_replace.
$description = preg_replace('regex pattern', 'regex replacement', $description);
Upvotes: 5
Related Questions
- How can I replace a string?
- JavaScript equivalent for PHP preg_replace
- Is there replace function in php? like javascript replace()
- Translate javascript string replace function to php
- String Replace in jquery or javascript
- Translate PHP preg_replace to javascript and set it recursive
- How to replace strings in a Javascript array
- convert javascript replace to php preg_replace or str_replace
- Construction of PHP/Javascript replace function
- Replace a string in JavaScript and PHP