You can do better than just replacing the "<" and ">" characters - as these do not prevent all attacks.

Have a look at HTML::Scrubber and HTML::Filter.

Using the first is as simple as this:

my @allow = qw[ ul li ol p br hr b a i pre blockquote tt dl dd dt ];
my @rules = (
         script => 0,
         img => {
         src => qr{^(http://)}i,   # only absolute image links allowed
         alt => 1,                 # alt attribute allowed
         '*' => 0,                 # deny all other attributes
         },
         a => {
         href => 1,                # HREF
         title => 1,               # ALT attribute allowed
         rel   => 1,               # Link relationship 
         '*' => 0,                 # deny all other attributes
         },
         );
#
my @default = (
           0   =>    # default rule, deny all tags
           {
           '*'           => 1, # default rule, allow all attributes
           'href'        => qr{^(?!(?:java)?script)}i,
           'src'         => qr{^(?!(?:java)?script)}i,
           'cite'        => '(?i-xsm:^(?!(?:java)?script))',
           'language'    => 0,
           'name'        => 1, # could be sneaky, but hey ;)
           'onblur'      => 0,
           'onchange'    => 0,
           'onclick'     => 0,
           'ondblclick'  => 0,
           'onerror'     => 0,
           'onfocus'     => 0,
           'onkeydown'   => 0,
           'onkeypress'  => 0,
           'onkeyup'     => 0,
           'onload'      => 0,
           'onmousedown' => 0,
           'onmousemove' => 0,
           'onmouseout'  => 0,
           'onmouseover' => 0,
           'onmouseup'   => 0,
           'onreset'     => 0,
           'onselect'    => 0,
           'onsubmit'    => 0,
           'onunload'    => 0,
           'src'         => 0,
           'type'        => 0,
           }
           );


#
#  Create the scrubber.
#
my $safe = HTML::Scrubber->new();
$safe->allow( @allow );
$safe->rules( @rules );
$safe->default( @default );

# deny HTML Comments
$safe->comment(0);   

#
#  Update each paramater with the cleaned version
#
my $form = new CGI;
foreach my $p ( $form->param() )
{
    my $val = $form->param($p);
    $val = $safe->scrub( $val );
    $form->param( $p, $val );
}

[download]
Steve
---
steve.org.uk

In reply to Re: How to remove HTML tags from text by skx
in thread How to remove HTML tags from text by nejcPirc

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.