php N javascript

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
blacksnday
Forum Contributor
Posts: 252
Joined: Sat Jul 30, 2005 6:11 am
Location: bfe Ohio :(

php N javascript

Post by blacksnday »

I am making a preview option for my form submission and need to figure out
how to pass a function to the javascript code.

As I have mentioned in earlier posts, I am using special code to strip out
all html, and only allow the bbcode tags I create.

The javascript preview code is

Code: Select all

<SCRIPT LANGUAGE="JavaScript">
<!--
function bashPreview(form) {
var ink = "<div align=center>Preview News Submissions Coming Soon<br><a href=javascript:self.close();>Close this window</a></div><br><br><br>";
var int = "Your Name: " + form.username.value + "<br>";
var inf = "Your Bash: " + form.userbash.value;
win = window.open(", ", 'popup', 'width=400,height=400,left=312,top=184,toolbar=0,location=0,directories=0,status=0,scrollbars=0,menubar=0,resizable=0');
win.document.write("" + ink + int + inf + "");
}
//-->
</script>
usage example

Code: Select all

<input name='preview' type='button' class='submit' value='Preview' onClick='bashPreview(this.form)'>
And the html stripper/bbcode replace code is

Code: Select all

function submitTags($html, $media=0, $font=0)
{
    $html = preg_replace('#</?.*?\>#i','',$html); 
    $html = preg_replace('#<script[^>]*?>.*?</script>#i','',$html); 
    $html = htmlspecialchars($html);

 if($media){ 
    $html = preg_replace("#\[link\](.*?)\[/link\]#i", "<a href=\"\\1\" target=\"_blank\" title=\"bashmyex.com Bash Your Ex Girlfriend or Boyfriend Link!\">\\1</a>", $html);
}else{
    $html = preg_replace("#\[link\](.*?)\[/link\]#i", "", $html);
}
     
 if($font)  
    $html = preg_replace("#\[br\]#i", "<br>", $html);

     return($html);
     }
Thanks to these forums I learned how to pass the above into display when calling
from databse by using something similar to

Code: Select all

function one_random_news_entry() { 
  $result = mysql_unbuffered_query("SELECT * FROM news ORDER BY RAND() LIMIT 1"); 
  while ($row = mysql_fetch_assoc($result)) 
  { 
    $newposts = array ( "Name" => $row['name'], "Past Loves" => $row['lova'], "Bash" => $row['news'] ); 
    foreach ( $newposts as $postfield => $postinput ) 
    { 
      $postinput = submitTags($postinput, 1, 1); 
      echo "<b>{$postfield}:</b>  {$postinput}<br />"; 
    } 
    echo "<p>&nbsp;</p>"; 
  } 
}
And now this time i need to figure out how to
do the same for the javascript preview.
User avatar
raghavan20
DevNet Resident
Posts: 1451
Joined: Sat Jun 11, 2005 6:57 am
Location: London, UK
Contact:

Post by raghavan20 »

I am sorry even after your long explanation, I dont still see the points which you wanted to do???
Could you please clearly state out the things you wanted to as a numbered list???

where is your full html form???
what are the fields you wanted to display in the preview??
do you want to do any preprocessing before you display the preview???
User avatar
blacksnday
Forum Contributor
Posts: 252
Joined: Sat Jul 30, 2005 6:11 am
Location: bfe Ohio :(

Post by blacksnday »

heh, lemme try to explain again :)

I offer a form for users to submit articles.
I disallow any html from being used on the form.
I have a function that will strip out all html if it is used.
The same function also converts all bbCode tags into html.
When the article is grabbed from the sql database and displayed
on the website, the function then converts bbCode to html and
any html used in the users form is then stripped away and not shown.

The function that takes care of the above is

Code: Select all

function submitTags($html, $media=0, $font=0) 
{ 
    $html = preg_replace('#</?.*?\>#i','',$html); 
    $html = preg_replace('#<script[^>]*?>.*?</script>#i','',$html); 
    $html = htmlspecialchars($html); 

if($media){ 
    $html = preg_replace("#\[link\](.*?)\[/link\]#i", "<a href=\"\\1\" target=\"_blank\" title=\"bashmyex.com Bash Your Ex Girlfriend or Boyfriend Link!\">\\1</a>", $html); 
}else{ 
    $html = preg_replace("#\[link\](.*?)\[/link\]#i", "", $html); 
} 
      
if($font)   
    $html = preg_replace("#\[br\]#i", "<br>", $html); 

     return($html); 
     }
and a sample sql query that will grab the article from the DB and convert to use the
above function:

Code: Select all

function one_random_news_entry() { 
  $result = mysql_unbuffered_query("SELECT * FROM news ORDER BY RAND() LIMIT 1"); 
  while ($row = mysql_fetch_assoc($result)) 
  { 
    $newposts = array ( "Name" => $row['name'], "Past Loves" => $row['lova'], "Bash" => $row['news'] ); 
    foreach ( $newposts as $postfield => $postinput ) 
    { 
      $postinput = submitTags($postinput, 1, 1); 
      echo "<b>{$postfield}:</b>  {$postinput}<br />"; 
    } 
    echo "<p>&nbsp;</p>"; 
  } 
}
Notice the $postinput = submitTags($postinput, 1, 1);


Ok, that should explain how my bbcode replacement works.

I am now trying to write code to allow for users to Preview
their submission before they finally submit to the database.
Since any html they use will not be allowed in the final result
and I already offer pre-defined bbCode tags(which then get converted once displayed)
I need the Preview to reflect how their post will look.
The Preview javascript is:

Code: Select all

<SCRIPT LANGUAGE="JavaScript"> 
<!-- 
function bashPreview(form) { 
var ink = "<div align=center>Preview News Submissions Coming Soon<br><a href=javascript:self.close();>Close this window</a></div><br><br><br>"; 
var inn = "Your Name: " + form.username.value + "<br>"; 
var inf = "Your Bash: " + form.userbash.value; 
win = window.open(", ", 'popup', 'width=400,height=400,left=312,top=184,toolbar=0,location=0,directories=0,status=0,scrollbars=0,menubar=0,resizable=0'); 
win.document.write("" + ink + inn + inf + ""); 
} 
//--> 
</script>
and Example usage is
<input name='preview' type='button' class='submit' value='Preview' onClick='bashPreview(this.form)'>

So if they type something like the following:

Code: Select all

[color=red]This is a test post.[/color] [br]
These tags are examples of what I allow in [size=large]user posts[/size]
and how it looks until the [b]submitTags($postinput, 1, 1);[/b] is called to convert it
and use the preview option, I need it then to use my submitTags function to properly display the post.
The preview should show the above as this:

This is a test post.
These tags are examples of what I allow in user posts
and how it looks until the submitTags($postinput, 1, 1); is called to convert it

I am just unsure how to have the preview call up the submittags function since the Preview
is javascript. I hope that may make mroe sense?

basically... just like on these forums... you use bbCode to format your post, then once you hit
the preview button.. the preview properly shows your post based on the bbCode you used.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

most preview options do a partial submission, meaning they do a full post to the server, the server processes the input nearly identical to what it would do for a view post request except instead of pulling the data from a database it's pulled directly from the posted data. This is then inserted into a second above the normal posting box and the code returns to post creation mode.

On a secondary note: your bbtags allow XSS
User avatar
blacksnday
Forum Contributor
Posts: 252
Joined: Sat Jul 30, 2005 6:11 am
Location: bfe Ohio :(

Post by blacksnday »

How can i fix the XSS?
when it comes to stuff like javascript and meta redirects and that kinda exploit
the function corrects it.

What am I missing?

And i guess i am confused with previews doing a submit.
A preview is seperate and having two submit buttons on one form doesnt
really work to well?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

you can have many submit buttons, it doesn't matter to the browser.

As for your XSS, create a post where you have this in the post:

Code: Select all

[link]javascript:alert('hi');[/link]
if I can do that, I can do a lot worse... ;)
User avatar
blacksnday
Forum Contributor
Posts: 252
Joined: Sat Jul 30, 2005 6:11 am
Location: bfe Ohio :(

Post by blacksnday »

feyd wrote:you can have many submit buttons, it doesn't matter to the browser.

As for your XSS, create a post where you have this in the post:

Code: Select all

[link]javascript:alert('hi');[/link]
if I can do that, I can do a lot worse... ;)
Ok, if I do something like

Code: Select all

$html = preg_replace('#<script>.*?</script>#i','',$html); 
    $html = preg_replace('#alert\(#','',$html);
    $html = preg_replace('#javascript#','', $html);
That looks to be a quick fix since it will strip out the script tags
and the alert( and javascript opening.
I'm still working on making it better by fully replacing anything within
any type of javascript attempt.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

I'd suggest not replacing it.. just don't parse it. :)
User avatar
blacksnday
Forum Contributor
Posts: 252
Joined: Sat Jul 30, 2005 6:11 am
Location: bfe Ohio :(

Post by blacksnday »

Not parsing it would be ideal, however i like to let the user and everyone else know
how they were trying to be bad :p

i have just changed it now to be

Code: Select all

$html = preg_replace('#</?.*?\>(.*?)</?.*?\>#i','Sorry, that is not allowed!',$html); 
    $html = preg_replace('#javascript(.*?)\;#','JavaScript Not allowed', $html);
And where the replacement text is, I will have it be a url to point to a page that
explains what the attempt was and why it was blocked.

The above will work with and override any link that it may tried to be used with when using my

Code: Select all

[link] [/link]

tags and just is something I like better so that it can be a slap in the
face for the user trying, and a laugh for those who may later read the post.

dunno.. one day I probably will change it to not parse at all :p
I guess thats the great thing about writing your own script huh? :P
Post Reply