a_bertrand Posted October 29, 2009 Share Posted October 29, 2009 Here is a simple way (could be written differently) to avoid HTML / JS injections and at the same time support (some of) the BB tabs: function view_bb($desc) { $desc=nl2br($desc); $desc=preg_replace("/<ul>/i","[uL]",$desc); $desc=preg_replace("/[list=1]/i","[OL]",$desc); $desc=preg_replace("/<center>/i"," [center]",$desc); $desc=preg_replace("/<\\/[ ]*center>/i","[/center] ",$desc); $desc=preg_replace("/<\\/[ ]*ul>/i","[/uL]",$desc); $desc=preg_replace("/<\\/[ ]*ol>/i","[/OL]",$desc); $desc=preg_replace("/[*]/i","[LI]",$desc); $desc=preg_replace("/<\\/[ ]*li>/i","[/LI]",$desc); $desc=preg_replace("/<\\/[ ]*a>/i","[/A]",$desc); $desc=preg_replace("/<br[ \\/]*>/i","[bR]",$desc); $desc=preg_replace("/[b]/i","[b]",$desc); $desc=preg_replace("/<\\/[ ]*b>/i","[/b]",$desc); $desc=preg_replace("/[b]/i","[b]",$desc); $desc=preg_replace("/<u>/i","[u]",$desc); $desc=preg_replace("/<\\/[ ]*i>/i","[/u]",$desc); $desc=preg_replace("/ /i","[P]",$desc); $desc=preg_replace("/<\\/[ ]*p>/i","[/P]",$desc); $desc=preg_replace("/<s>/i","[b]",$desc); $desc=preg_replace("/[b]/i","[b]",$desc); $desc=preg_replace("/<\\/[ ]*s>/i","[/b]",$desc); $desc=preg_replace("/<\\/[ ]*strong>/i","[/b]",$desc); $desc=preg_replace("/[i]/i","[i]",$desc); $desc=preg_replace("/<\\/[ ]*i>/i","[/i]",$desc); $desc=preg_replace("/<\\/[ ]*font>/i","[/font]",$desc); $desc=preg_replace("/<font size=([\\+\\-0-9]*)>/i","[font SIZE=\$1]",$desc); $desc=preg_replace("/<font color=[ ]*(\\\")?([\\#0-9A-Za-z]*)(\\\")?>/i","[font COLOR=\$2]",$desc); $desc=preg_replace("/<font size=([\\+\\-0-9]*) color=[ ]*[\"]{0,1}([\\#0-9A-Za-z]*)[\"]{0,1}>/i","[font SIZE=\$1 COLOR=\$2]",$desc); $desc=preg_replace("/<font color=[ ]*[\\\"]?([\\#0-9A-Za-z]*)[\\\"]? size=([\\+\\-0-9]*)>/i","[font SIZE=\$2 COLOR=\$1]",$desc); $desc=preg_replace("/<a href\\=[\"]{0,1}([a-zA-Z0-9\\.\\-_:@%\\/\\;\\$\\(\\)~\\?\\+\\\\&]*)[\"]{0,1}>/i","[A HREF=\$1]",$desc); $desc=str_replace(array("<",">"),array("<",">"),$desc); $desc=str_replace(array("[OL]","[uL]","[/uL]","[LI]","[/LI]","[/A]","[bR]","[b]","[/b]"," [center]","[/center] ","[/font]","[P]","[/P]","[i]","[/i]","[u]","[/u]"),array("[list=1]","<UL>","[/list]","<LI>","</LI>","</A>"," ","[b]","[/b]","<CENTER>","</CENTER>","</FONT>"," ","</P>","[i]","[/i]","<U>","</U>"),$desc); $desc=preg_replace("/\\[font SIZE\\=([\\+\\-0-9]*)\\]/","<FONT SIZE=\$1>",$desc); $desc=preg_replace("/\\[font COLOR\\=([\\#0-9A-Za-z]*)\\]/","<FONT COLOR=\$1>",$desc); $desc=preg_replace("/\\[font SIZE\\=([\\+\\-0-9]*) COLOR\\=([\\#0-9A-Za-z]*)\\]/","<FONT SIZE=\$1 COLOR=\$2>",$desc); $desc=preg_replace("/\\[A HREF\\=([a-zA-Z0-9\\.\\-_:@%\\/\\;\\$\\(\\)~\\?\\+\\\\&]*)\\]/","<A HREF=\$1 TARGET=_blank>",$desc); $desc=preg_replace("/\\[img width=([0-9]+)\\](.+)\\[\\/[ ]*img\\]/i","<IMG SRC=\"\$2\" BORDER=0 WIDTH=\$1>",$desc); $desc=preg_replace("/\\[img width=([0-9]+) height=([0-9]+)\\](.+)\\[\\/[ ]*img\\]/i","<IMG SRC=\"\$3\" BORDER=0 WIDTH=\$1 HEIGHT=\$2>",$desc); $desc=preg_replace("/\\[img height=([0-9]+) widht=([0-9]+)\\](.+)\\[\\/[ ]*img\\]/i","<IMG SRC=\"\$3\" BORDER=0 WIDTH=\$2 HEIGHT=\$1>",$desc); $desc=preg_replace("/\\[img\\](.+)\\[\\/[ ]*img\\]/i","<IMG SRC=\"\$1\">",$desc); $desc=preg_replace("/\\[url\\](.+)\\[\\/[ ]*url\\]/i","<A HREF=\"\$1\">\$1</A>",$desc); $desc=preg_replace("/([^\"^'^=](http|https):\\/\\/[a-zA-Z0-9\\.\\-_:@%\\/\\;\\$\\(\\)~\\?\\+\\\\&]*)/","<A HREF=\"\$1\" TARGET=_blank>\$1</A>",$desc); return $desc; } To use it echo view_bb("This is [b]MY[/b] BB code tool<div onClick='alert(1)'>will not work!</div>"); Quote Link to comment Share on other sites More sharing options...
seanybob Posted October 29, 2009 Share Posted October 29, 2009 Not too shabby. Being horrid at regular expressions, I would always have trouble with img tags in bbcode when I created my bbcode engine, and I see you took care of those quite nicely. Quote Link to comment Share on other sites More sharing options...
a_bertrand Posted October 29, 2009 Author Share Posted October 29, 2009 The most difficult part was to have automatic links for URLs written within the text. Should all work, maybe there is some cases not covered. I could less preg_replace functions by feeding it with arrays of expressions and replacement, but thought it would be a bit more readable like that. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.