PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!
Moderator: General Moderators
user___
Forum Contributor
Posts: 297 Joined: Tue Dec 05, 2006 3:05 pm
Post
by user___ » Tue May 01, 2007 5:28 am
Hi guys,
I would like to know what is the regular expression which is used to send safe HTML(for image tags) in posting systems, forums, etc.
I have a sting like this:
and I need it in HTML(
).
Thank you.
feyd
Neighborhood Spidermoddy
Posts: 31559 Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA
Post
by feyd » Tue May 01, 2007 7:36 am
Look in phpBB's source code.
user___
Forum Contributor
Posts: 297 Joined: Tue Dec 05, 2006 3:05 pm
Post
by user___ » Tue May 01, 2007 9:30 am
feyd:I have done what you have said but I got this error:
Parse error: parse error, unexpected ':' in C:\www\web\parser.php(137) : regexp code on line 1
Fatal error: preg_replace() [<a href='function.preg-replace'>function.preg-replace</a>]: Failed evaluating code: http://$2 in C:\www\web\parser.php on line 137
I got the code exactly from phpBB so I am mistaking somewhere(I suppose).
I would be grateful if you or anyone who is able to post me the the regular expression.
feyd
Neighborhood Spidermoddy
Posts: 31559 Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA
Post
by feyd » Tue May 01, 2007 9:37 am
It would help to see your code......
Adrianc333
Forum Newbie
Posts: 14 Joined: Sat Feb 17, 2007 5:44 am
Location: South Yorkshire, UK
Post
by Adrianc333 » Tue May 01, 2007 9:37 am
Code: Select all
$bbcode = array(
'/(\[img\])(.*)(\[\/img\])/'
);
$html = array(
'<img src="${2}" />'
);
$output = preg_replace($bbcode, $html, $text);
feyd
Neighborhood Spidermoddy
Posts: 31559 Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA
Post
by feyd » Tue May 01, 2007 9:41 am
That opens you up for XSS, among other things. Be very careful.
user___
Forum Contributor
Posts: 297 Joined: Tue Dec 05, 2006 3:05 pm
Post
by user___ » Tue May 01, 2007 9:55 am
feyd:
Code: Select all
preg_replace('#\[img\](https?://)([a-z0-9\-\.,\?!%\*_:;~\\&$@/=\+]+)\[/img\]#ie', '\$1\$2', 'img]http://www.domain..com/img.jpg[/img]);
feyd
Neighborhood Spidermoddy
Posts: 31559 Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA
Post
by feyd » Tue May 01, 2007 10:08 am
Your replacement string contains no <img> tag parts.
onion2k
Jedi Mod
Posts: 5263 Joined: Tue Dec 21, 2004 5:03 pm
Location: usrlab.com
Post
by onion2k » Tue May 01, 2007 10:23 am
For the record, this particular example of BBcode can be done with just str_replace..
Code: Select all
$text = "[img]http://www.domain.com/image.jpg[/img]";
$text = str_replace("[img]","<img src='",$text);
$text = str_replace("[/img]","'>",$text);
You could do it with one str_replace if you used arrays.
user___
Forum Contributor
Posts: 297 Joined: Tue Dec 05, 2006 3:05 pm
Post
by user___ » Tue May 01, 2007 10:27 am
feyd:I intentionally stripped the tags to make it clearer. I get the above error which is the problem. I can get any output.
onion2k:Thank you, man but my script is much more complicated than the given example.
OasisGames
Forum Commoner
Posts: 26 Joined: Mon Apr 23, 2007 3:24 pm
Location: Ohio
Post
by OasisGames » Tue May 01, 2007 10:37 am
onion2k wrote: For the record, this particular example of BBcode can be done with just str_replace..
Code: Select all
$text = "[img]http://www.domain.com/image.jpg[/img]";
$text = str_replace("[img]","<img src='",$text);
$text = str_replace("[/img]","'>",$text);
You could do it with one str_replace if you used arrays.
Code: Select all
[img]http://somesite.com/someimage.gif' onmouseover='evil javascript;[/img]
user___
Forum Contributor
Posts: 297 Joined: Tue Dec 05, 2006 3:05 pm
Post
by user___ » Tue May 01, 2007 11:10 am
Does anybody have the error I have?
OasisGames: Yes, it is vulnerable, that's why I am asking you for a regular expression that can do the job for me.
Do you have such?
Last edited by
user___ on Tue May 01, 2007 1:23 pm, edited 1 time in total.
Begby
Forum Regular
Posts: 575 Joined: Wed Dec 13, 2006 10:28 am
Post
by Begby » Tue May 01, 2007 12:55 pm
user___ wrote: feyd:
Code: Select all
preg_replace('#\[img\](https?://)([a-z0-9\-\.,\?!%\*_:;~\\&$@/=\+]+)\[/img\]#ie', '\$1\$2', 'img]http://www.domain..com/img.jpg[/img]);
This is missing a single quote after [/img].
Are you using an IDE that highlights this stuff? That will save you from taking your PC, throwing it out the window, then getting in your car and backing over it, then backing over it twice more just to make sure. Believe me I know.
user___
Forum Contributor
Posts: 297 Joined: Tue Dec 05, 2006 3:05 pm
Post
by user___ » Tue May 01, 2007 1:27 pm
I still get the error with this:
Code: Select all
reg_replace('#\[img\](https?://)([a-z0-9\-\.,\?!%\*_:;~\\&$@/=\+]+)\[/img\]#ie', '\$1\$2', '[img]http://www.domain.com/image.jpg[/img]');
feyd
Neighborhood Spidermoddy
Posts: 31559 Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA
Post
by feyd » Tue May 01, 2007 1:32 pm
What are the possible places where the error is occurring in the line?