I have been reading thousands of articles of PHP security and I wrote a simple comment script.
Can you find anything 'evilish' or even annoying bugs?
Code: Select all
<?php
$message = $_POST["message"];
/*
No HTML accepted directly. Only accepted using through BBCode.
*/
$message = htmlspecialchars($message);
/*
Convert line feeds and carriage returns to <br /> tag.
*/
$message = preg_replace("/\x0D\x0A/","<br />",$message);
/*
Replacing all BBCode URL tags [url=xxx]yyy[/url] with working HTML anchors
IF the xxx has NOT characters '(', ')' or ';'.
This makes it possible to use any protocol in anchors that does not carry anything dangerous.
For example 'mailto:example@host.com' is valid while 'javascript: alert();' is not.
The reason why I like this method is that when you type '[url=javascript:alert("hacked");]click[/url]',
it will not be stripped off or even modified - it will be shown as it is: '[url=javascript:alert("hacked");]click[/url]'.
*/
$message = preg_replace("/\[url=([^\]\(\);]+?)\](.+?)\[\/url\]/i","<a href=\"\\1\">\\2</a>",$message);
echo $message;
?>Thank you for your time! :)