Dayo Posted April 16, 2010 Share Posted April 16, 2010 This is a small simple way to secure tags on forums or just about anywhere you use bbcode function img($code) { $code_treated = htmlspecialchars($code); $bbcode = array(1 => '/\[img\](.+?)\[\/img\]/e'); $html = array(1 => '"<img src=\'".secureimg("$1")."\' alt=\'User submitted image\' id=\"img\" title=\'User submitted image\' />"'); ksort($bbcode); ksort($html); //preg_replace to convert all remaining bbCode tags $post_bbcode_treated = preg_replace($bbcode, $html, $code_treated); return nl2br($post_bbcode_treated); } function secureimg($img) { $img=str_replace(array('/.', '&'), array('.', '&'), $img); $img2=@getimagesize($img); if (@is_array($img2)) { return $img; } else { return 'images/broken.gif'; } } now all you do is wrap img() around the text and ur done Quote Link to comment Share on other sites More sharing options...
Dominion Posted April 16, 2010 Share Posted April 16, 2010 looks like a nice post will be trying this out later thanks :) Quote Link to comment Share on other sites More sharing options...
SHAD Posted April 18, 2010 Share Posted April 18, 2010 Can someone please show me how that code will be placed in the bb parser. <?php if($_SERVER['PHP_SELF'] == __FILE__) { header("Location:index.php"); exit; } class bbcode { function bbcode_parse($text) { global $ir, $db, $userid, $set; $text = htmlspecialchars($text); $text = preg_replace("/\[b\]/", "[b]", $text); $text = preg_replace("/\[\/b\]/", "[/b]", $text); $text = preg_replace("/\[i\]/", "[i]", $text); $text = preg_replace("/\[\/i\]/", "[/i]", $text); $text = preg_replace("/\[u\]/", "<span style='text-decoration:underline;'>", $text); $text = preg_replace("/\[\/u\]/", "</span>", $text); $text = preg_replace("/\[s\]/", "<s>", $text); $text = preg_replace("/\[\/s\]/", "</s>", $text); $text = preg_replace("/\[sub\](.+?)\[\/sub\]/", "<sub>$1</sub>", $text); $text = preg_replace("/\[sup\](.+?)\[\/sup\]/", "<sup>$1</sup>", $text); $text = preg_replace("/\[big\](.+?)\[\/big\]/", "<big>$1</big>", $text); $text = preg_replace("/\[small\](.+?)\[\/small\]/", "[size="1"]$1[/size]", $text); $text = preg_replace("/\[list\](.+?)\[\/list\]/", "<ul>$1[/list]", $text); $text = preg_replace("/\[olist\](.+?)\[\/olist\]/", "[list=1]$1[/list]", $text); $text = preg_replace("/\[li\](.+?)\[\/li\]/", "[*]$1", $text); $text = preg_replace("/\[font=(.+?)\](.+?)\[\/font\]/", "<span style='font-family:$1'>$2</span>", $text); $text = preg_replace("/\[size=(.+?)\](.+?)\[\/size\]/", "<font size='$1'>$2</font>", $text); $text = preg_replace("/\[url=(.+?)\](.+?)\[\/url\]/", "[url='$1']$2[/url]", $text); $text = preg_replace("/\[img=(.+?)\]/", "[img=$1]", $text); $text = preg_replace("/\[img\](.+?)\[\/img\]/", "[img=$1]", $text); $text = preg_replace("/\n/", "&nbrlb;", $text); $text = preg_replace("/\[email=(.+?)\](.+?)\[\/email\]/", "[email='$1']$2[/email]", $text); $text = preg_replace("/\[email\](.+?)\[\/email\]/", "[email='$1']$1[/email]", $text); $text = preg_replace("/\[left\](.+?)\[\/left\]/", "<div style='text-align: left;'>$1</div>", $text); $text = preg_replace("/\[center\](.+?)\[\/center\]/", "<div style='text-align: center;'>$1</div>", $text); $text = preg_replace("/\[right\](.+?)\[\/right\]/", "<div style='text-align: right;'>$1</div>", $text); $text = preg_replace("/\[quote name='(.+?)\'](.+?)\[\/quote\]/", "<div class='quotetop'>Quote($1)</div><div class='quotemain'>$2</div>", $text); $text = preg_replace("/\[quote\](.+?)\[\/quote\]/", "<div class='quotetop'>Quote</div><div class='quotemain'>$1</div>", $text); $text = preg_replace("/\[style=(.+?)\](.+?)\[\/style\]/", "<div style='$1'>$2</div>", $text); $text = preg_replace("/\[quote\](.+?)\[\/quote\]/","<div class='quotetop'>Quote</div><div class='quotemain'>$1</div>", $text); $text = preg_replace("/\[code\](.+?)\[\/code\]/","<div class='codetop'>Code</div><div class='codemain'><code>$1</code></div>", $text); $text = preg_replace("/\[codebox\](.+?)\[\/codebox\]/","<div class='codetop'>Code</div><div class='codemain'><code>$1</code></div>", $text); $text = preg_replace("/&nbrlb;/", " \n", $text); $text = preg_replace("/\[colour=(.+?)\]/", "<span style='color:$1;'>", $text); $text = preg_replace("/\[\/colour\]/", "</span>", $text); $text = preg_replace("/\[color=(.+?)\]/", "<span style='color:$1;'>", $text); $text = preg_replace("/\[\/color\]/", "</span>", $text); $text = preg_replace("/\[br \/]/", " ", $text); $text = preg_replace("/\[br]/", " ", $text); $text = preg_replace("/\[hr \/]/", "<hr />", $text); $text = preg_replace("/\[hr]/", "<hr />", $text); $text = preg_replace("/\[list\]/", "<ul>", $text); $text = preg_replace("/\[\/list\]/", "[/list]", $text); $text = preg_replace("/\[olist\]/", "[list=1]", $text); $text = preg_replace("/\[\/olist\]/", "[/list]", $text); $text = preg_replace("/\[li\]/", "[*]", $text); $text = preg_replace("/\[\/li\]/", "", $text); return nl2br($text); } } $bbc = new BBCode; ?> Quote Link to comment Share on other sites More sharing options...
Danny696 Posted April 18, 2010 Share Posted April 18, 2010 LOL using ants bbcode_parser i see haha. Seriously, dont ever claim it as your parser Quote Link to comment Share on other sites More sharing options...
Danny696 Posted April 18, 2010 Share Posted April 18, 2010 Check this website out, http://www.ultramegatech.com/blog/2009/04/creating-a-bbcode-parser/ Quote Link to comment Share on other sites More sharing options...
SHAD Posted April 18, 2010 Share Posted April 18, 2010 I would never claim anyones work to be mine, i use forums and bbcode made by antony. I just needed someone to add the secure image tags. Quote Link to comment Share on other sites More sharing options...
Dayo Posted April 18, 2010 Author Share Posted April 18, 2010 <?php if($_SERVER['PHP_SELF'] == __FILE__) { header("Location:index.php"); exit; } class bbcode { function secureimg($img) { $img=str_replace(array('/.', '&'), array('.', '&'), $img); $img2=@getimagesize($img); if (@is_array($img2)) { return $img; } else { return 'images/broken.gif'; } } function bbcode_parse($text) { global $ir, $db, $userid, $set; $text = htmlspecialchars($text); $text = preg_replace("/\[b\]/", "[b]", $text); $text = preg_replace("/\[\/b\]/", "[/b]", $text); $text = preg_replace("/\[i\]/", "[i]", $text); $text = preg_replace("/\[\/i\]/", "[/i]", $text); $text = preg_replace("/\[u\]/", "<span style='text-decoration:underline;'>", $text); $text = preg_replace("/\[\/u\]/", "</span>", $text); $text = preg_replace("/\[s\]/", "<s>", $text); $text = preg_replace("/\[\/s\]/", "</s>", $text); $text = preg_replace("/\[sub\](.+?)\[\/sub\]/", "<sub>$1</sub>", $text); $text = preg_replace("/\[sup\](.+?)\[\/sup\]/", "<sup>$1</sup>", $text); $text = preg_replace("/\[big\](.+?)\[\/big\]/", "<big>$1</big>", $text); $text = preg_replace("/\[small\](.+?)\[\/small\]/", "[size="1"]$1[/size]", $text); $text = preg_replace("/\[list\](.+?)\[\/list\]/", "<ul>$1[/list]", $text); $text = preg_replace("/\[olist\](.+?)\[\/olist\]/", "[list=1]$1[/list]", $text); $text = preg_replace("/\[li\](.+?)\[\/li\]/", "[*]$1", $text); $text = preg_replace("/\[font=(.+?)\](.+?)\[\/font\]/", "<span style='font-family:$1'>$2</span>", $text); $text = preg_replace("/\[size=(.+?)\](.+?)\[\/size\]/", "<font size='$1'>$2</font>", $text); $text = preg_replace("/\[url=(.+?)\](.+?)\[\/url\]/", "[url='$1']$2[/url]", $text); $text = preg_replace("/\n/", "&nbrlb;", $text); $text = preg_replace("/\[email=(.+?)\](.+?)\[\/email\]/", "[email='$1']$2[/email]", $text); $text = preg_replace("/\[email\](.+?)\[\/email\]/", "[email='$1']$1[/email]", $text); $text = preg_replace("/\[left\](.+?)\[\/left\]/", "<div style='text-align: left;'>$1</div>", $text); $text = preg_replace("/\[center\](.+?)\[\/center\]/", "<div style='text-align: center;'>$1</div>", $text); $text = preg_replace("/\[right\](.+?)\[\/right\]/", "<div style='text-align: right;'>$1</div>", $text); $text = preg_replace("/\[quote name='(.+?)\'](.+?)\[\/quote\]/", "<div class='quotetop'>Quote($1)</div><div class='quotemain'>$2</div>", $text); $text = preg_replace("/\[quote\](.+?)\[\/quote\]/", "<div class='quotetop'>Quote</div><div class='quotemain'>$1</div>", $text); $text = preg_replace("/\[style=(.+?)\](.+?)\[\/style\]/", "<div style='$1'>$2</div>", $text); $text = preg_replace("/\[quote\](.+?)\[\/quote\]/","<div class='quotetop'>Quote</div><div class='quotemain'>$1</div>", $text); $text = preg_replace("/\[code\](.+?)\[\/code\]/","<div class='codetop'>Code</div><div class='codemain'><code>$1</code></div>", $text); $text = preg_replace("/\[codebox\](.+?)\[\/codebox\]/","<div class='codetop'>Code</div><div class='codemain'><code>$1</code></div>", $text); $text = preg_replace("/&nbrlb;/", " \n", $text); $text = preg_replace("/\[colour=(.+?)\]/", "<span style='color:$1;'>", $text); $text = preg_replace("/\[\/colour\]/", "</span>", $text); $text = preg_replace("/\[color=(.+?)\]/", "<span style='color:$1;'>", $text); $text = preg_replace("/\[\/color\]/", "</span>", $text); $text = preg_replace("/\[br \/]/", " ", $text); $text = preg_replace("/\[br]/", " ", $text); $text = preg_replace("/\[hr \/]/", "<hr />", $text); $text = preg_replace("/\[hr]/", "<hr />", $text); $text = preg_replace("/\[list\]/", "<ul>", $text); $text = preg_replace("/\[\/list\]/", "[/list]", $text); $text = preg_replace("/\[olist\]/", "[list=1]", $text); $text = preg_replace("/\[\/olist\]/", "[/list]", $text); $text = preg_replace("/\[li\]/", "[*]", $text); $text = preg_replace("/\[\/li\]/", "", $text); $bbcode = array(1 => '/\[img\](.+?)\[\/img\]/e'); $html = array(1 => '"<img src=\'".$this->secureimg("$1")."\' alt=\'User submitted image\' id=\"img\" title=\'User submitted image\' />"'); ksort($bbcode); ksort($html); //preg_replace to convert all remaining bbCode tags $text = preg_replace($bbcode, $html, $text); return nl2br($text); } } $bbc = new BBCode; ?> this is untested Quote Link to comment Share on other sites More sharing options...
SHAD Posted April 18, 2010 Share Posted April 18, 2010 Thank you very much daya ,it works perfect. Quote Link to comment Share on other sites More sharing options...
Dayo Posted April 18, 2010 Author Share Posted April 18, 2010 no problem mate i hope this will help many out :thumbup: Quote Link to comment Share on other sites More sharing options...
SHAD Posted April 19, 2010 Share Posted April 19, 2010 for some reason if i put in my profile sig then go to my sig and refresh it logs me out. I am not sure if it work now. ?( Quote Link to comment Share on other sites More sharing options...
Dayo Posted April 19, 2010 Author Share Posted April 19, 2010 check it passes the sig img tags throgh the img tag i supplyed NOT an existing one eg if there is the old img tags, this does not overide them Quote Link to comment Share on other sites More sharing options...
Lithium Posted April 20, 2010 Share Posted April 20, 2010 Despite the sense of security, i must say that this will fail, mainly if you are going to deal with GIF images. Arbitrary code can be placed inside the image, still making a valid image file and it will get executed as soon as the file is called. You ought to consider allowing users to upload their own images and then locking with .htaccess the execution of any code from within the upload directory, with something along these lines... Order allow,deny allow from all <FilesMatch "\.php$"> deny from all </FilesMatch> The given example goes to php, yet you can expand it for whatsoever your host allows to execute! Quote Link to comment Share on other sites More sharing options...
CrazyT Posted April 21, 2010 Share Posted April 21, 2010 Despite the sense of security, i must say that this will fail, mainly if you are going to deal with GIF images. Arbitrary code can be placed inside the image, still making a valid image file and it will get executed as soon as the file is called. You ought to consider allowing users to upload their own images and then locking with .htaccess the execution of any code from within the upload directory, with something along these lines... Order allow,deny allow from all <FilesMatch "\.php$"> deny from all </FilesMatch> The given example goes to php, yet you can expand it for whatsoever your host allows to execute! Then you check the image before you display it, to see if it contains php inside. simple. Quote Link to comment Share on other sites More sharing options...
mj12 Posted April 26, 2010 Share Posted April 26, 2010 Despite the sense of security, i must say that this will fail, mainly if you are going to deal with GIF images. Arbitrary code can be placed inside the image, still making a valid image file and it will get executed as soon as the file is called. You ought to consider allowing users to upload their own images and then locking with .htaccess the execution of any code from within the upload directory, with something along these lines... Order allow,deny allow from all <FilesMatch "\.php$"> deny from all </FilesMatch> The given example goes to php, yet you can expand it for whatsoever your host allows to execute! Thats actually how i secure my directory...that and other methods as well. Quote Link to comment Share on other sites More sharing options...
CJ - Twitch Posted May 29, 2010 Share Posted May 29, 2010 Check this website out, http://www.ultramegatech.com/blog/2009/04/creating-a-bbcode-parser/ Very Nice! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.