A PHP Function that verify code language

Question

I have a form with 2 textareas; the first one allows user to send HTML Code, the second allows to send CSS Code. I have to verify with a PHP function, if the language is correct.

If the language is correct, for security, i have to check that there is not PHP code or SQL Injection or whatever.

What do you think ? Is there a way to do that ? Where can I find this kind of function ?

Is "HTML Purifier" http://htmlpurifier.org/ a good solution ?

Answer 1

Ok thanks you all.

actually, i realize that I needed a human validation. Users can post HTML + CSS, I can verify in PHP that the langage & the syntax are correct, but it doesn't avoid people to post iframe, html redirection, or big black div that take all the screen.

:-)

Answer 2

Yes. htmlpurifier is a good tool to remove malicious scripts and validate your HTML. Don't think it does CSS though. Apparently it works with CSS too. Thanks Briedis.

Answer 3

If you have to validate the date to insert them in to database - then you just have to use mysql_real_escape_string() function before inserting them in to db.

//Safe database insertion
mysql_query("INSERT INTO table(column) VALUES(".mysql_real_escape_string($_POST['field']).")");

If you want to output the data to the end user as plain text - then you have to escape all html sensitive chars by htmlspecialchars(). If you want to output it as HTML, the you have to use HTML Purify tool.

//Safe plain text output
echo htmlspecialchars($data, ENT_QUOTES);

//Safe HTML output
$data = purifyHtml($data); //Or how it is spiecified in the purifier documentation
echo $data; //Safe html output

Answer 4

HTMLPurifier is the recommended tool for cleaning up HTML. And as luck has it, it also incudes CSSTidy and can sanitize CSS as well.

... that there is not PHP code or SQL Injection or whatever.

You are basing your question on a wrong premise. While HTML can be cleaned, this is no safeguard against other exploitabilies. PHP "tags" are most likely to be filtered out. If you are doing something other weird (include-ing or eval-ing the content partially), that's no real help.
And SQL exploits can only be prevented by meticously using the proper database escape functions. There is no magic solution to that.

Answer 5

SHJS syntax highlighter for Javascript have files with regular expressions http://shjs.sourceforge.net/lang/ for languages that highlights — You can check how SHJS parse code.

Answer 6

for something primitive you can use regex, BUT it should be noted using a parser to fully-exhaust all possibilities is recommended.

/(<\?(?:php)?(.*)\?>)/i

Example: http://regexr.com?2t3e5 (change the < in the expression back to a < and it will work (for some reason rexepr changes it to html formatting))

EDIT

/(<\?(?:php)?(.*)(?:\?>|$))/i

That's probably better so they can't place php at the end of the document (as PHP doesn't actually require a terminating character)