force strip_tags() on all user input unless explicitly allowed

2025-12-13 18:35:57 +00:00 · 2017-12-03 23:35:38 +03:00
parent 7c6f7bb0aa
commit e6532439d6
13 changed files with 286 additions and 275 deletions
--- a/include/functions.php
+++ b/include/functions.php
@@ -725,6 +725,17 @@
 		}
 	}

+	// this is used for user http parameters unless HTML code is actually needed
+	function clean($param) {
+		if (is_array($param)) {
+			return array_map(strip_tags, $param);
+		} else if (is_string($param)) {
+			return strip_tags($param);
+		} else {
+			return $param;
+		}
+	}
+
 	function make_password($length = 8) {

 		$password = "";