So, I should have known I was missing something. WordPress was letting me insert styles in my comment text because I was logged in as Admin and therefore had privileges. When I tried putting the CSS in comments while logged out (posting as Joe Blow user), it stripped the styles without needing my plugin. So my first foray into plug-in writing, though working nicely, wasn't necessary.

BUT, there are some systems where this vulnerability still exists (like those idiots at MySpace), and if you're rolling your own, this bit of code will still be helpful.

And if you still want the plugin to see how darn easy it is to write a plugin... here it is.

Presenting The Code

function noCSShijackfull($content){

   preg_match_all("/<(.|\n)+?>/",$content,$catchit);

// NOW SPOOL THROUGH THAT ARRAY AND LOOK FOR STYLE TAGS. 

       for($i=0;$i<count($catchit[0]);$i++){
          $checkit = $catchit[0][$i];
          if(preg_match("/\"style| style|<style/i",$checkit)){

          $holdit = $checkit;

         $checkit = "<tag containing CSS suppressed>";
         $content = str_replace($holdit,$checkit,$content);
         $content = str_replace("</div>","",$content);
          }
       }

return $content;

}

And if you want a quick and dirty HTML tag stripper...

function noCSShijackfull($content){
    preg_match_all("/<(.|\n)+?>/",$content,$catchit);
       for($i=0;$i<count($catchit[0]);$i++){
          $checkit = $catchit[0][$i];
          $content = str_replace($checkit,"",$content);
            }
  }
return $content;
}

This entry was posted on Thursday, April 5th, 2007 at 10:47 pm and is filed under Techno Thoughts, Web Programming. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.