Page 1 of 1

SafeHTMLCheck Issue

Posted: Fri Nov 02, 2007 6:00 pm
by the_toad_king
feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]


Hi everybody,

I'm trying to implement some safe-HTML validation using Sam Willison's safehtmlcheck.php. I've used it to check the safety of another, basically identical form on two other pages, the exact same way I'm trying to do it here, and it worked. But for some reason it doesn't work in this code; it allows tags like object and script whereas the other pages won't. I need another set of eyes to help me find the issue!

Here's my code (This editor knocked it out of alignment a bit):

Code: Select all

if ($_SESSION['loggedinuser_userid'] == $_GET['user'])
{
  if($_POST['profile']){
   	$userid = $_GET['user'];
   	$profileContent = $_POST['profile'];
		$checker = new SafeHtmlChecker;
		$checker->check('<all>'.$profileContent.'</all>');
		if (!$checker->isOK()) {
    	$content .= '<ul>';
    	foreach ($checker->getErrors() as $error) {
    	  $content .= '<li>'.$error.'</li>';
    	}
    	$content .= '</ul>';
  	}
  	else{
   		$cleanProfileContent = $profileContent;
  	}
  	if($cleanProfileContent){
   	 	$sql = "UPDATE users SET profile='".$cleanProfileContent."' WHERE userid=".$userid;
      if($result = mysql_query($sql,$conn)){
   			$content = "Profile updated.";
   	  }
   	  else {
     		$content = "Profile edit failed.";
    	}
  	}
 	  else{
    	$content = "Your profile contained illegal tags. Please try again, using only approved tags.";
  	}
	}
}
The posted variable profile is just a simple textarea.

Thanks for any help you can offer!


feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]

Posted: Fri Nov 02, 2007 6:42 pm
by Kieran Huggins
I hear good things about HTML Purifier. And not only from it's author.

Posted: Fri Nov 02, 2007 6:45 pm
by the_toad_king
Thanks for the reply,

I've tried HTML Purifier. First run, it had an error in line 202 of some file.

Anyway, it's huge and a bit overkill for what I need. safehtmlcheck is tiny and simple, and that's all I'm looking for here. Besides, I've already used it for two other forms and it works perfectly. I can't understand why, when every line is exactly the same except for variable names, it doesn't work here.

Can anyone see any bugs in that code that I missed??

Thanks