Page 1 of 2
[img]
Posted: Tue May 01, 2007 5:28 am
by user___
Hi guys,
I would like to know what is the regular expression which is used to send safe HTML(for image tags) in posting systems, forums, etc.
I have a sting like this:
and I need it in HTML(
).
Thank you.
Posted: Tue May 01, 2007 7:36 am
by feyd
Look in phpBB's source code.
Reply
Posted: Tue May 01, 2007 9:30 am
by user___
feyd:I have done what you have said but I got this error:
Parse error: parse error, unexpected ':' in C:\www\web\parser.php(137) : regexp code on line 1
Fatal error: preg_replace() [<a href='function.preg-replace'>function.preg-replace</a>]: Failed evaluating code: http://$2 in C:\www\web\parser.php on line 137
I got the code exactly from phpBB so I am mistaking somewhere(I suppose).
I would be grateful if you or anyone who is able to post me the the regular expression.
Posted: Tue May 01, 2007 9:37 am
by feyd
It would help to see your code......
Posted: Tue May 01, 2007 9:37 am
by Adrianc333
Code: Select all
$bbcode = array(
'/(\[img\])(.*)(\[\/img\])/'
);
$html = array(
'<img src="${2}" />'
);
$output = preg_replace($bbcode, $html, $text);
Posted: Tue May 01, 2007 9:41 am
by feyd
That opens you up for XSS, among other things. Be very careful.
Reply
Posted: Tue May 01, 2007 9:55 am
by user___
feyd:
Code: Select all
preg_replace('#\[img\](https?://)([a-z0-9\-\.,\?!%\*_:;~\\&$@/=\+]+)\[/img\]#ie', '\$1\$2', 'img]http://www.domain..com/img.jpg[/img]);
Posted: Tue May 01, 2007 10:08 am
by feyd
Your replacement string contains no <img> tag parts.
Posted: Tue May 01, 2007 10:23 am
by onion2k
For the record, this particular example of BBcode can be done with just str_replace..
Code: Select all
$text = "[img]http://www.domain.com/image.jpg[/img]";
$text = str_replace("[img]","<img src='",$text);
$text = str_replace("[/img]","'>",$text);
You could do it with one str_replace if you used arrays.
Reply
Posted: Tue May 01, 2007 10:27 am
by user___
feyd:I intentionally stripped the tags to make it clearer. I get the above error which is the problem. I can get any output.
onion2k:Thank you, man but my script is much more complicated than the given example.
Posted: Tue May 01, 2007 10:37 am
by OasisGames
onion2k wrote:For the record, this particular example of BBcode can be done with just str_replace..
Code: Select all
$text = "[img]http://www.domain.com/image.jpg[/img]";
$text = str_replace("[img]","<img src='",$text);
$text = str_replace("[/img]","'>",$text);
You could do it with one str_replace if you used arrays.
Code: Select all
[img]http://somesite.com/someimage.gif' onmouseover='evil javascript;[/img]

Reply
Posted: Tue May 01, 2007 11:10 am
by user___
Does anybody have the error I have?
OasisGames: Yes, it is vulnerable, that's why I am asking you for a regular expression that can do the job for me.
Do you have such?
Re: Reply
Posted: Tue May 01, 2007 12:55 pm
by Begby
user___ wrote:feyd:
Code: Select all
preg_replace('#\[img\](https?://)([a-z0-9\-\.,\?!%\*_:;~\\&$@/=\+]+)\[/img\]#ie', '\$1\$2', 'img]http://www.domain..com/img.jpg[/img]);
This is missing a single quote after [/img].
Are you using an IDE that highlights this stuff? That will save you from taking your PC, throwing it out the window, then getting in your car and backing over it, then backing over it twice more just to make sure. Believe me I know.
Reply
Posted: Tue May 01, 2007 1:27 pm
by user___
I still get the error with this:
Code: Select all
reg_replace('#\[img\](https?://)([a-z0-9\-\.,\?!%\*_:;~\\&$@/=\+]+)\[/img\]#ie', '\$1\$2', '[img]http://www.domain.com/image.jpg[/img]');
Posted: Tue May 01, 2007 1:32 pm
by feyd
What are the possible places where the error is occurring in the line?