HELP preg_replace for URLs

[Guber-X]

Okay, i know there are lots of these questions out there and tons of ways to do this. I do have it working to replace URLs with <a href="URLs">URLs</a> but now i need some help detecting <a href=""></a> so the preg_replace will not double up the code and mess up the link.

 

here is my code so far.

<?php
echo 'COMMENTS<br /><br />';
	  while($rows = mysql_fetch_array($comres)){
		  list($comid, $menu_title, $post_id, $comdate, $comname, $comment) = $rows;
		  $comment = nl2br($comment);
		  $comment = preg_replace('/(http|https|ftp|ftps)\:\/\/[a-zA-Z0-9\-\.]+\.[a-zA-Z]{2,3}(\/\S*)?/', '<a href="$0" target="_new">$0</a>', $comment);
		  $comment = str_replace("´", "'", $comment);
		  $comdate = date("g:ia - M j, Y",strtotime("$comdate"));
		  echo 'User: '.$comname.'<font color="#B20303"> - '.$comdate.'</font><br />';
		  echo '   - '.$comment.'<br /><br />';
	  }
?>

 

so with this code, if someone commented a link like this

 

http://example.com

 

it will turn it this

 

<a href="http://example.com" target="_new">http://example.com</a>

 

but now if someone knew some basic HTML coding, and they used this

 

<a href="http://example.com">Example.com</a>

 

it will look like this...

 

<a href=<a href="http://example.com" target="_new">http://example.com</a>>Example.com</a>

[requinix]

Do you want to allow people to enter HTML?

[Guber-X]

yeah i dont mind people using HTML, I monitor it myself since its my only active website at this moment. so for the time being, yeah i dont mind them using HTML. future sites will be designed a little better

[requinix]

So I could post, say,

<br />
malicious_code(document.cookie, document.location);<br />

where malicious.js is, well, malicious. You wouldn't mind that?

[Guber-X]

hmm... good point... so then how could i limit what users can post then?

[requinix]

Don't let them post HTML and instead allow BBCode (or something similar). People can still enter links and images, format with bold and underlines, change font size and color... It's a different yet very similar syntax, but it's so common nowadays that the people who do know HTML 99% likely know BBCode as well.

[Guber-X]

so i guess ill have to basicly re-write my code for my comment form?

[requinix]

The fact of the matter is that it can be very difficult to sanitize arbitrary HTML. strip_tags() will remove tags you don't want but it won't do anything about attributes; even if you allowed only tags someone could use

You could use regular expressions to deal with most of this by making sure there aren't any invalid tags

#?b[^>]+>#

(if this matches then there's a tag with something inside it), but all you're accomplishing is allowing for BBCode tags that use s instead of []s. Which isn't bad, it's just that you've gone full circle.

 

Either way you need to do something with the comment form if you want to allow some kind of markup.

[Guber-X]

how about just making so they cant use and code what so ever, just plain text. i think that would be better. i dont need people commenting links or posting photos in the comment box on my page anyway.

[requinix]

Great. Then let them enter whatever they want and you htmlentities() or htmlspecialchars() it before you display it anywhere.

 

(And yes, I realize there is no "onhover" event. I wasn't trying to be precise )

[Guber-X]

lol, yeah i noticed that... but thanks for your help, i got it all working with htmlentities(). tested it with a bunch of HTML tags and I have it set to show the tags in plain text.

 

ps. i had to scroll my text larger to read your tiny text there haha