PHP BBcode using preg_replace () - Prevent users from entering onClick, onKeyPress

Question

PHP BBcode using preg_replace () - Prevent users from entering onClick, onKeyPress

I have a simple question (not for me), ok, first, please take a look at this:

$msg=preg_replace("/\[b(.*?)\](.*?)\[\/b\]/i", "<b $1>$2</b>", $msg);

Well, on this regEXP, $ msg will replace the found thing and put it in a new form (I don't know how to explain, how about an example):

He will turn

[b]TEXT[/b]

at

<b>TEXT</b>

Or he will turn into

[b style="color: red;" title="HELLO"]TEXT[/b]

at

<b style="color: red;" title="HELLO">TEXT</b>

This raises the problem of what happens if it changes:

[b onclick="SOME TROJAN SCRIPT"]TEXT[/b]

at

<b onclick="SOME TROJAN SCRIPT">TEXT</b>

And all I want to do, instead of replacing all the attributes, is after [b attribute1 attribute2 ... attributeN], the function will remain those attributes AS LONG AS THEY NOT START WITH on (like onClick, onMouseOver ...).

I appreciate any suggestion ^^! Thanks guys in advanced ...

+3

php regex bbcode

xx3004 Mar 01 '11 at 2:12

source share

4 answers

Pauly · Answer 1 · 2011-03-01T02:37:45+0000

PECL BBCode-. PEAR eqiv, PECL. BBCode ... .

alex · Answer 2 · 2011-03-01T02:17:28+0000

Regex HTML/JavaScript .

HTML-.

eykanal · Answer 3 · 2011-03-01T02:17:22+0000

, , - , javascript. . , , css , (1) , HTML-, XSS, (2) <b>, css.

sln · Answer 4 · 2011-03-01T03:10:52+0000

, :

s/\[b(\s*|\s+(?:(?!(?<=\s)on..*?\s*=\s*['"]).)*?)\](.*?)\[\/b\]/<b$1>$2<\/b>/xi

rx = /\[b(\s*|\s+(?:(?!(?<=\s)on..*?\s*=\s*['"]).)*?)\](.*?)\[\/b\]/
= <b$1>$2<\/b>

.

EDIT Sample Test Case[b onclick="alert('HELLO');"]HELLO[/b]

use strict;
use warnings;

my @samps = (
 '[b]TEXT[/b]',
 '[b on="]TEXT[/b]',
 '[b styleon="color: red;" title="HELLO"]TE
        XT[/b]',
 '[b onclick="SOME TROJAN SCRIPT"]TEXT[/b]',
 '[b onclick="alert(\'HELLO\');"]HELLO[/b]',
);

for (@samps) {
   print "Testing $_\n";
   if ( s/\[b(\s*|\s+(?:(?!(?<=\s)on..*?\s*=\s*['"]).)*?)\](.*?)\[\/b\]/<b$1>$2<\/b>/si ) {
      print " .. passed  $_\n";
   }
   else {
      print " .. failed\n";
   }
}

Output

Testing [b]TEXT[/b]
 .. passed  <b>TEXT</b>
Testing [b on="]TEXT[/b]
 .. passed  <b on=">TEXT</b>
Testing [b styleon="color: red;" title="HELLO"]TE
        XT[/b]
 .. passed  <b styleon="color: red;" title="HELLO">TE
        XT</b>
Testing [b onclick="SOME TROJAN SCRIPT"]TEXT[/b]
 .. failed
Testing [b onclick="alert('HELLO');"]HELLO[/b]
 .. failed

PHP BBcode using preg_replace () - Prevent users from entering onClick, onKeyPress

More articles: