SafeHTMLCheck Issue

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
the_toad_king
Forum Newbie
Posts: 2
Joined: Fri Nov 02, 2007 5:49 pm

SafeHTMLCheck Issue

Post by the_toad_king »

feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]


Hi everybody,

I'm trying to implement some safe-HTML validation using Sam Willison's safehtmlcheck.php. I've used it to check the safety of another, basically identical form on two other pages, the exact same way I'm trying to do it here, and it worked. But for some reason it doesn't work in this code; it allows tags like object and script whereas the other pages won't. I need another set of eyes to help me find the issue!

Here's my code (This editor knocked it out of alignment a bit):

Code: Select all

if ($_SESSION['loggedinuser_userid'] == $_GET['user'])
{
  if($_POST['profile']){
   	$userid = $_GET['user'];
   	$profileContent = $_POST['profile'];
		$checker = new SafeHtmlChecker;
		$checker->check('<all>'.$profileContent.'</all>');
		if (!$checker->isOK()) {
    	$content .= '<ul>';
    	foreach ($checker->getErrors() as $error) {
    	  $content .= '<li>'.$error.'</li>';
    	}
    	$content .= '</ul>';
  	}
  	else{
   		$cleanProfileContent = $profileContent;
  	}
  	if($cleanProfileContent){
   	 	$sql = "UPDATE users SET profile='".$cleanProfileContent."' WHERE userid=".$userid;
      if($result = mysql_query($sql,$conn)){
   			$content = "Profile updated.";
   	  }
   	  else {
     		$content = "Profile edit failed.";
    	}
  	}
 	  else{
    	$content = "Your profile contained illegal tags. Please try again, using only approved tags.";
  	}
	}
}
The posted variable profile is just a simple textarea.

Thanks for any help you can offer!


feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]
User avatar
Kieran Huggins
DevNet Master
Posts: 3635
Joined: Wed Dec 06, 2006 4:14 pm
Location: Toronto, Canada
Contact:

Post by Kieran Huggins »

I hear good things about HTML Purifier. And not only from it's author.
the_toad_king
Forum Newbie
Posts: 2
Joined: Fri Nov 02, 2007 5:49 pm

Post by the_toad_king »

Thanks for the reply,

I've tried HTML Purifier. First run, it had an error in line 202 of some file.

Anyway, it's huge and a bit overkill for what I need. safehtmlcheck is tiny and simple, and that's all I'm looking for here. Besides, I've already used it for two other forms and it works perfectly. I can't understand why, when every line is exactly the same except for variable names, it doesn't work here.

Can anyone see any bugs in that code that I missed??

Thanks
Post Reply