Implementing the cleanHtml Method

Now that we have defined which tags and attributes are acceptable, we must implement the cleanHtml() method in FormProcessor_BlogPost, which we created in Listing 7-17.

Thankfully, the Zend_Filter component of the Zend Framework provides a filter called Zend_Filter_StripTags, which gives us some flexibility in setting our tag and attribute requirements. We can either pass an array of allowed tags and an array of allowed attributes, or we can pass a single array where the key is the allowed tag and the element is an array of allowed attributes for that tag.

Note, though, that there is a special case we must deal with: the href attribute value for hyperlinks. Browsers will execute inline JavaScript code if it begins with javascript:. The simplest test case for this is to create a link as follows:

<a href="javascript:alert('Oh no!')">Open alert box</a>

To deal with this special case, we will simply replace any occurrences of javascript: that occur within any tags. This can be achieved easily using preg_replace().

Was this article helpful?

0 0

Post a comment