[SOLVED] Remove Javascript from links

[allistera]

Ok hopefuly this should be my last problem for my current project.

 

I have a BBcode converter, this is what it looks like:

 

<?php
function BBCode($str) {
$str = html_entity_decode($str);
   
$a = array(
	"/\[i\](.*?)\[\/i\]/is",
	"/\[b\](.*?)\[\/b\]/is",
	"/\[u\](.*?)\[\/u\]/is",
	"/\[code\](.*?)\[\/code\]/is",
	"/\[url=http://(.*?)\](.*?)\[\/url\]/is",
	"/\[size=(.*?)\](.*?)\[\/size\]/is",
);
   
$b = array(
	"<i>$1</i>",
	"<b>$1</b>",
	"<u>$1</u>",
	"<p class=\"code\">$1</p>",
	"<a href=\"$1\" target=\"_blank\"> $2 </a>",
	'<font size=$1>$2</font>',
);
   
$str = preg_replace($a, $b, $str);
$str = nl2br($str);
return $str;
}
?>

 

There is just one problem, the a href, a user can inject javascript into it like so:

Click Me!

 

How would I make it so that the user can only enter links, and not javascript? thanks!

 

[947740]

Do a string search, and if they have a "javascript:" in there, do not let them to add the link.

[moselkady]

Maybe you can add another replace expression for the case of a javascript in the url that would display an error message:

 

$a = array(
	"/\[i\](.*?)\[\/i\]/is",
	"/\[b\](.*?)\[\/b\]/is",
	"/\[u\](.*?)\[\/u\]/is",
	"/\[code\](.*?)\[\/code\]/is",
	"/\[url=http://(.*?)\](.*?)\[\/url\]/is",
	"/\[url=javascript:(.*?)\](.*?)\[\/url\]/is",
	"/\[size=(.*?)\](.*?)\[\/size\]/is",
);
   
$b = array(
	"<i>$1</i>",
	"<b>$1</b>",
	"<u>$1</u>",
	"<p class=\"code\">$1</p>",
	"<a href=\"$1\" target=\"_blank\"> $2 </a>",
                "<u>invalid url [javascript:$1]</u>",
	'<font size=$1>$2</font>',
);

 

[allistera]

Thanks moselkady, that worked fine!, im suprised I never thought of that, will this remove all javascript? I am not a JS expert so I don't know if all JS needs to begin with with "javascript:"?

[947740]

That is the only way they can include javascript in a link.  They could do an onclick="" as well, so you may want to remove that.