Welcome! » Log In » Create A New Profile

scripts should not be stripped out

Posted by sharath 
sharath
scripts should not be stripped out
December 01, 2010 08:50AM

i want all the scripts that are present in the user contributed input to be saved in a file. i want only the scripts rest of the html is to be purified echoed back to client. how can it be done.

Re: scripts should not be stripped out
December 01, 2010 01:21PM

I don't understand your question, but extracting parts of the HTML and saving it to a file is something that you'll probably have to do with regular expressions; HTML Purifier only has support for CSS.

sharath
Re: scripts should not be stripped out
December 02, 2010 05:43AM

let me explain with an example

<a src="<script>alert(&#039;hii&#039;);</script>" ><b>html purifier</b> <img  src="<sc r ipt>alert(&#039;hii&#039;);</s cr ipt>" />

the scripts that are present in above example should be stripped out of user input and saved in a file.

i am trying to log all the scripts in user input in a file. when i tried working with reg expr not all the scripts are saved ,the second script in above example is not saved.

Re: scripts should not be stripped out
December 02, 2010 06:34AM

Even if HTML Purifier had the functionality you were asking for, it would not be able to catch sc ri pt from your example. I guess what you're looking for is a sort of generalized XSS detection mechanism, which is orthogonal to HTML Purifier's functionality. Unfortunately, we don't have that feature.

Author:
Your Email:

Subject:

HTML input is enabled. Make sure you escape all HTML and angled brackets with &lt; and &gt;.

Auto-paragraphing is enabled. Double newlines will be converted to paragraphs; for single newlines, use the pre tag.

Allowed tags: a, abbr, acronym, b, blockquote, caption, cite, code, dd, del, dfn, div, dl, dt, em, i, ins, kbd, li, ol, p, pre, s, strike, strong, sub, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, var.

For inputting literal code such as HTML and PHP for display, use CDATA tags to auto-escape your angled brackets, and pre to preserve newlines:

<pre><![CDATA[
Place code here
]]></pre>

Power users, you can hide this notice with:

.htmlpurifier-help {display:none;}

Message: