Download version 1.0 of StripTags for PHP5
After some further development over the last couple of weeks, I have released version 1.0 of the StripTags class for PHP.
This class is designed to replace the strip_tags function in PHP, which does not work particuarly well. It serves to help website authors avoid cross-site-scripting (XSS) attacks in user-created content, for sites such as blogs or forums where users can enter entries, articles, or comments.
You can read more about the class and XSS in general in the following article:Helping Prevent XSS Attacks in PHP5
The big new feature change in this version of the class is the ability to find XSS attacks injected via unicode-enrypted attributes, such as:
<IMG SRC=javascript
:alert('XSS')>
We now successfully find these and neutralise them by inserting extra junk in the attribute string so that they are not processed by client browsers.
Please note that this class is not a 100% complete solution to XSS. We do not handle all of the ways that XSS can be achieved through CSS and other forms of style (and thus always recommend that you not permit users to enter STYLE elements or “style” attributes on other elements). Solving this problem requires significant amount of work and effort, and I believe that if you want to give users that degree of input control, you should have them use a Wiki-language engine such as Textile.
The README and INSTALL documents have full information on how to use the class as well as what it does and does not do.
As always, please feel free to email me with any questions, comments, or bug reports. I’ll fix the latter as quickly as I can.