safe_html.php updated to version 0.6

[Chris Snyder]

Package: safe_html.php
URL: http://chxo.com/chxo-scripts/safe_html/

This is a critical update to fix an exploit brought to my attention by
Görg Pflug of Accentive Heidelberg GMBH.

He found that an attacker could take advantage of the tag-stripping
features of safe_html() by embedding a tag-to-be-stripped in the
middle of an XSS attempt. When safe_html() strips the tag, the exploit
becomes active. His example looked like: src="java<script>:alert(123)"

The function has been updated to check for XSS conditions once more,
*after* all text replacements have been performed.

Also in this update, standard tests to prove that safe_html() is safe
against known exploits. See http://chxo.com/chxo-scripts/safe_html/
tests.php

Thanks!

Chris Snyder
csn...@chxo.com