https://stackoverflow.com/questions/14297611
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianNo. < a href='' > and < img src='' > ask the client to load the defined uri. There is no secure way to forbid this (javascript solutions can be disabled) as the uri is loaded by your browser and not by the server.
User generated tags in a forum can always be a security threat and should be filtered out. Depending on your code it may be possible for a hostile website to include code that reads client side session cookies with the rights of your respective page.
if you work with php you may want to use the $str = strip_tags($str) function. Note that nested tags may not be detected properly.
A security threat could also be based on CDATA or html-comments. If you work with highcommas or double quote in < input > tags it could be useful to also replace these by an empty string.
If you work with utf-8 you could do it that way:
mb_regex_encoding('UTF-8');
$str = mb_eregi_replace( '\'' , '' , $str);
$str = mb_eregi_replace( '<([A-Z][A-Z0-9]*)\b[^>]*>' , '' , $str);
$str = mb_eregi_replace( '<\/([A-Z][A-Z0-9]*)\b[^>]*>' , '' , $str);
$str = mb_eregi_replace( '<!--' , '' , $str);
$str = mb_eregi_replace( '-->' , '' , $str);
$str = mb_eregi_replace( '<!\[CDATA\[' , '' , $str);
$str = mb_eregi_replace( '\]\]>' , '' , $str);
