keiran420 Posted November 3, 2008 Share Posted November 3, 2008 Hey people, Im creating a CMS at the minute, alls going ok... http://keiran420.ulmb.com/hbhcms/ i save all alrticle, news and shout input as html entitie its easy enough to add in custom tags like [ b ][ / b ] and replace it with a fresh uncoded <b></b> before displaying... The same with several other tags, i had a nice little array and loop going... But problems have arised ^^ I got a lot of people to try and hack my site, someone came up with.... [ i m g ] h t t p : / / [ i m g ] o n e r r o r = a l e r t ( / c l o s e d / ) [ b ] which brought a nice popup up... So the problems are.... 1. Making sure every opener has a closer. I have sort of got this 1, but the code is long and unnecessary.. 2. making sure the user doesnt add in code like onerror=! the problem is i want to use image links and url links... the tags would look like [u rl][/ u rl] and [im g][/i m g]... But the html will have to be like... echo "<img src=' ".$USERINPUT." '>"; or echo "<a href=' ".$USERINPUT." '>Link</a>"; As you can see problems arise... The logical answer is to scan this bit of input against all know bad words.... but i also dont want to ban www.TheConErrorTheory.com (100% random)... All i really need is a good source of information on this subject, or a nice push in the right direction... either would be great thanks for reading. the tags im using are: [ B ] [ / B ] [ U ] [ / U ] [ I M G ] [ / M G ] etc... some of them seem to have vanished ^^ Link to comment https://forums.phpfreaks.com/topic/131276-personal-user-tags-to-html/ Share on other sites More sharing options...
bastones Posted November 3, 2008 Share Posted November 3, 2008 Not sure what your question is but if you want to allow BBCode in your application but disallow other code, then you need to use either str_ireplace() or preg_replace() functions. Here's an example of both functions: <?php $strreplace=str_ireplace("find","replace","text to search"); ?> ...for preg_replace() you use something slightly different, something called regex, you should search Google for tutorials on preg_replace in PHP . You can use str_ireplace() which stands for string incase-sensitive string, which means it would detect both and tags. To prevent other HTML tags you could use: <?php // arrays here if(str_ireplace($find,$replace,$search)) { // code to execute } else { $form=htmlspecialchars($_POST['form']); } ?> Now, when you are saying if(str_ireplace()) you're basically asking if it was executed and you'd get a yes or no answer. If no, it goes to else (just incase you didn't know). Hope this helps! Link to comment https://forums.phpfreaks.com/topic/131276-personal-user-tags-to-html/#findComment-681643 Share on other sites More sharing options...
DarkWater Posted November 3, 2008 Share Posted November 3, 2008 If you want to get a primer on regex syntax, read my tutorial on the main site. Link to comment https://forums.phpfreaks.com/topic/131276-personal-user-tags-to-html/#findComment-681646 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.