in reply to Regex: Strip <script> tags?

Yes, do use a prepackaged filter. <scr<script>Kiddies</script>ipt> are clever buggers</script>

Update: In response to anonymous monk below (in case you think you can win in the battle of workarounds). Check out the XSS Cheat Sheet. It is quite old, so don't count on it including all XSS exploits, however, look at that list and ask yourself whether your time is better spent researching and fighting these or actually working on something related to your site's business. --- My advice: Find and use a module which scrubs user-submitted html. Find one which is maintained and thorough. It isn't typically worth doing it yourself. (in general) No, your case is probably not special enough to warrant doing it yourself - you've got better things to do.

Good Day,
    Dean

Replies are listed 'Best First'.
Re^2: Regex: Strip <script> tags?
by Anonymous Monk on May 25, 2012 at 22:35 UTC

    This will fix what you're were talking about. You can loop through it as many times to remove unwanted script tags and everything within it

    $bool = true;
while ($bool) {
     $str = preg_replace('/<script\ .*?<\/.*?script>/i','', $str);
    if (!(preg_match('/<script\ .*?<\/.*?script>/i', $str))){
        $bool = false;
    }
}

    [download]
[reply]
[d/l]

In Section Seekers of Perl Wisdom