[img]

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

user___
Forum Contributor
Posts: 297
Joined: Tue Dec 05, 2006 3:05 pm

[img]

Post by user___ »

Hi guys,
I would like to know what is the regular expression which is used to send safe HTML(for image tags) in posting systems, forums, etc.

I have a sting like this:

Code: Select all

[img]url to img[/img]
and I need it in HTML(

Code: Select all

<img src='url to img'></img>
).

Thank you.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Look in phpBB's source code.
user___
Forum Contributor
Posts: 297
Joined: Tue Dec 05, 2006 3:05 pm

Reply

Post by user___ »

feyd:I have done what you have said but I got this error:
Parse error: parse error, unexpected ':' in C:\www\web\parser.php(137) : regexp code on line 1

Fatal error: preg_replace() [<a href='function.preg-replace'>function.preg-replace</a>]: Failed evaluating code: http://$2 in C:\www\web\parser.php on line 137
I got the code exactly from phpBB so I am mistaking somewhere(I suppose).

I would be grateful if you or anyone who is able to post me the the regular expression.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

It would help to see your code......
Adrianc333
Forum Newbie
Posts: 14
Joined: Sat Feb 17, 2007 5:44 am
Location: South Yorkshire, UK

Post by Adrianc333 »

Code: Select all

$bbcode = array(
        '/(\[img\])(.*)(\[\/img\])/'
     );
        
    $html = array(
        '<img src="${2}" />'
    );
    
    $output = preg_replace($bbcode, $html, $text);
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

That opens you up for XSS, among other things. Be very careful.
user___
Forum Contributor
Posts: 297
Joined: Tue Dec 05, 2006 3:05 pm

Reply

Post by user___ »

feyd:

Code: Select all

preg_replace('#\[img\](https?://)([a-z0-9\-\.,\?!%\*_:;~\\&$@/=\+]+)\[/img\]#ie', '\$1\$2', 'img]http://www.domain..com/img.jpg[/img]);
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Your replacement string contains no <img> tag parts.
User avatar
onion2k
Jedi Mod
Posts: 5263
Joined: Tue Dec 21, 2004 5:03 pm
Location: usrlab.com

Post by onion2k »

For the record, this particular example of BBcode can be done with just str_replace..

Code: Select all

$text = "[img]http://www.domain.com/image.jpg[/img]";
$text = str_replace("[img]","<img src='",$text);
$text = str_replace("[/img]","'>",$text);
You could do it with one str_replace if you used arrays.
user___
Forum Contributor
Posts: 297
Joined: Tue Dec 05, 2006 3:05 pm

Reply

Post by user___ »

feyd:I intentionally stripped the tags to make it clearer. I get the above error which is the problem. I can get any output.

onion2k:Thank you, man but my script is much more complicated than the given example.
User avatar
OasisGames
Forum Commoner
Posts: 26
Joined: Mon Apr 23, 2007 3:24 pm
Location: Ohio

Post by OasisGames »

onion2k wrote:For the record, this particular example of BBcode can be done with just str_replace..

Code: Select all

$text = "[img]http://www.domain.com/image.jpg[/img]";
$text = str_replace("[img]","<img src='",$text);
$text = str_replace("[/img]","'>",$text);
You could do it with one str_replace if you used arrays.

Code: Select all

[img]http://somesite.com/someimage.gif' onmouseover='evil javascript;[/img]
:(
user___
Forum Contributor
Posts: 297
Joined: Tue Dec 05, 2006 3:05 pm

Reply

Post by user___ »

Does anybody have the error I have?

OasisGames: Yes, it is vulnerable, that's why I am asking you for a regular expression that can do the job for me.
Do you have such?
Last edited by user___ on Tue May 01, 2007 1:23 pm, edited 1 time in total.
Begby
Forum Regular
Posts: 575
Joined: Wed Dec 13, 2006 10:28 am

Re: Reply

Post by Begby »

user___ wrote:feyd:

Code: Select all

preg_replace('#\[img\](https?://)([a-z0-9\-\.,\?!%\*_:;~\\&$@/=\+]+)\[/img\]#ie', '\$1\$2', 'img]http://www.domain..com/img.jpg[/img]);
This is missing a single quote after [/img].

Are you using an IDE that highlights this stuff? That will save you from taking your PC, throwing it out the window, then getting in your car and backing over it, then backing over it twice more just to make sure. Believe me I know.
user___
Forum Contributor
Posts: 297
Joined: Tue Dec 05, 2006 3:05 pm

Reply

Post by user___ »

I still get the error with this:

Code: Select all

reg_replace('#\[img\](https?://)([a-z0-9\-\.,\?!%\*_:;~\\&$@/=\+]+)\[/img\]#ie', '\$1\$2', '[img]http://www.domain.com/image.jpg[/img]');
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

What are the possible places where the error is occurring in the line?
Post Reply