Title: Security Question
Last modified: September 1, 2016

---

# Security Question

 *  Resolved [ac1643](https://wordpress.org/support/users/ac1643/)
 * (@ac1643)
 * [9 years, 10 months ago](https://wordpress.org/support/topic/security-question-18/)
 * Hi,
 * I wondered if you could give me your input on a potential security issue I’ve
   come across?
 * I have been looking to preserve html markup in post excerpts and came across 
   this code:
 * ———
 *     ```
       <?php
       function keep_my_links($text) {
         global $post;
       if ( '' == $text ) {
           $text = get_the_content('');
           $text = apply_filters('the_content', $text);
           $text = str_replace('\]\]\>', ']]>', $text);
           $text = preg_replace('@<script[^>]*?>.*?</script>@si', '', $text);
           $text = strip_tags($text, '<a>');
         }
         return $text;
       }
       remove_filter('get_the_excerpt', 'wp_trim_excerpt');
       add_filter('get_the_excerpt', 'keep_my_links');
       ?>
       ```
   
 * ——–
 * This is the line which prevents links from being deleted in excerpts.
    `$text
   = strip_tags($text, '</a><a>');`
 * However I’ve read that this can lead to security issues, such as:
 * ——-
    A word of caution. strip_tags() can actually be used for input validation
   as long as you remove ANY tag. As soon as you accept a single tag (2nd parameter),
   you are opening up a security hole such as this:
 * `<acceptedTag onLoad="javascript:malicious()" />`
    ——-
 * Do you think this is a problem, and does Ninja Firewall interact with this issue
   in any way?
 * [https://wordpress.org/plugins/ninjafirewall/](https://wordpress.org/plugins/ninjafirewall/)
 * _[moderated to put backtick tags around code]_

Viewing 2 replies - 1 through 2 (of 2 total)

 *  Plugin Author [nintechnet](https://wordpress.org/support/users/nintechnet/)
 * (@nintechnet)
 * [9 years, 10 months ago](https://wordpress.org/support/topic/security-question-18/#post-7645330)
 * Hi
 * It depends on who has control over the excerpts text:
 * -If this is your own text, that is fine, you can trust yourself 🙂
 * -If the text was written by someone else, you are indeed in troubles: if you 
   leave some tags, they can be used to inject JS, HTML events, links etc. Also,
   even this line is not really reliable:
 *     ```
       $text = preg_replace('@<script[^>]*?>.*?</script>@si', '', $text);
       ```
   
 * It does not take into consideration that the closing `</script>` could include
   a space or LF character, such as `</script >`.
 *  Thread Starter [ac1643](https://wordpress.org/support/users/ac1643/)
 * (@ac1643)
 * [9 years, 10 months ago](https://wordpress.org/support/topic/security-question-18/#post-7645487)
 * Thanks for your comments, really appreciate your input.

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘Security Question’ is closed to new replies.

 * ![](https://ps.w.org/ninjafirewall/assets/icon-256x256.png?rev=976137)
 * [NinjaFirewall (WP Edition) - Advanced Security Plugin and Firewall](https://wordpress.org/plugins/ninjafirewall/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/ninjafirewall/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/ninjafirewall/)
 * [Active Topics](https://wordpress.org/support/plugin/ninjafirewall/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/ninjafirewall/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/ninjafirewall/reviews/)

 * 2 replies
 * 2 participants
 * Last reply from: [ac1643](https://wordpress.org/support/users/ac1643/)
 * Last activity: [9 years, 10 months ago](https://wordpress.org/support/topic/security-question-18/#post-7645487)
 * Status: resolved