开发者

How to stop BB Code manipulation?

Hi I recently discovered an issue where people using BB Code to enter links are able to manipulate them.

They are meant to enter something like:

[LINK]http://www.domain.com[/LINK]

However they can enter something like this to make the link color red:

[LINK]http://www.domain.com 'span style="color:red;"'[/LINK]

This is the code which converts it:

$text = preg_replace("/\\[LINK\\\](.*?)\\[\/LINK\\]/is",
                       "&开发者_StackOverflowlt;a href='$1' target='_blank'>$1</a>", $text);

Also, I forgot, this is the other type:

[LINK=http://www.domain.com]example text[/LINK]

$text = preg_replace("/\\[LINK\=(.*?)\\\](.*?)\\[\/LINK\\]/is",
                       "<a href='$1' target='_blank'>$2</a>", $text);


Don't allow quotes and such in the url, and strip tags which failed in the first pass:

$text = preg_replace("/\[LINK\]([^'\"\\s]*?)\[\/LINK\]/is",
                               "<a href='$1' target='_blank'>$1</a>", $text);

$text = preg_replace("/\[LINK\](.*?)\[\/LINK\]/is", "<i>(link removed)</i>", $text);


That's very dangerous, especially if your guests are smart enough to start adding onclick handlers onto the link.

As mvds has said, replace all quotations and apostraphes. Sanitising input is essential.

For this particular URL problem however, that won't necesserially help. There are however plenty of regex URL validators which would strip out any naughty little code modifiers from the actual URL.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜