- jmh9072
- |
- Exalted Mythic Member
Posted by: Sprool
Posted by: jmh9072
Posted by: Sprool
I got it, I'll just add a <noscript> tag to your title, so that way, it blocks everything javascript, but you can still mess around with style and other html.You could use eregi() to throw an error upon finding "<script" anywhere in the submitted strings.Really? You mean it will search through GET and POST, and all values in them?Well, it can't search through the arrays themselves, but you can look through the array's elements individually.
e.g.
if(eregi("<script", $_GET["Name"])
{
echo "You messed with me!!";
exit;
}
or
eregi_replace("<script", "<STRONG>I'm a -blam!-</STRONG", $_GET["Name"]);
Posted by: paulmarv
Posted by: jmh9072
Posted by: Sprool
I got it, I'll just add a <noscript> tag to your title, so that way, it blocks everything javascript, but you can still mess around with style and other html.You could use eregi() to throw an error upon finding "<script" anywhere in the submitted strings.
Now that I think of it, there are other ways to embed javascript. Couldn't I just create an element (that supports the handler) and insert code in the onLoad() handler? Or make an invisible, page-consuming <div> and handle the onMouseMove() event or something like that?Hmm.. I dunno. It's probably possible.
[Edited on 11.21.2008 8:34 PM PST]