PDA

View Full Version : A simple BB code support as well as filtering the HTML



a_bertrand
10-29-2009, 12:46 PM
Here is a simple way (could be written differently) to avoid HTML / JS injections and at the same time support (some of) the BB tabs:



function view_bb($desc)
{
$desc=nl2br($desc);
$desc=preg_replace("/<ul>/i","",$desc);
$desc=preg_replace("//i","",$desc);
$desc=preg_replace("/<center>/i","
",$desc);
$desc=preg_replace("/<\\/[ ]*center>/i","",$desc);
$desc=preg_replace("/<\\/[ ]*ul>/i","",$desc);
$desc=preg_replace("/<\\/[ ]*ol>/i","",$desc);
$desc=preg_replace("/ /i","",$desc);
$desc=preg_replace("/<\\/[ ]*li>/i","",$desc);
$desc=preg_replace("/<\\/[ ]*a>/i","[/A]",$desc);
$desc=preg_replace("/<br[ \\/]*>/i","",$desc);
$desc=preg_replace("//i","[B]",$desc);
$desc=preg_replace("/<\\/[ ]*b>/i","",$desc);
$desc=preg_replace("//i","[B]",$desc);
$desc=preg_replace("/<u>/i","",$desc);
$desc=preg_replace("/<\\/[ ]*i>/i","",$desc);
$desc=preg_replace("/

/i","",$desc);
$desc=preg_replace("/<\\/[ ]*p>/i","",$desc);
$desc=preg_replace("/<s>/i","[B]",$desc);
$desc=preg_replace("/[b]/i","[B]",$desc);
$desc=preg_replace("/<\\/[ ]*s>/i","",$desc);
$desc=preg_replace("/<\\/[ ]*strong>/i","",$desc);
$desc=preg_replace("//i","[I]",$desc);
$desc=preg_replace("/<\\/[ ]*i>/i","",$desc);
$desc=preg_replace("/<\\/[ ]*font>/i","[/FONT]",$desc);
$desc=preg_replace("/<font size=([\\+\\-0-9]*)>/i","",$desc);
$desc=preg_replace("/<font color=[ ]*(\\\")?([\\#0-9A-Za-z]*)(\\\")?>/i","[FONT COLOR=\$2]",$desc);
$desc=preg_replace("/<font size=([\\+\\-0-9]*) color=[ ]*[\"]{0,1}([\\#0-9A-Za-z]*)[\"]{0,1}>/i","[FONT SIZE=\$1 COLOR=\$2]",$desc);
$desc=preg_replace("/<font color=[ ]*[\\\"]?([\\#0-9A-Za-z]*)[\\\"]? size=([\\+\\-0-9]*)>/i","[FONT SIZE=\$2 COLOR=\$1]",$desc);
$desc=preg_replace("/<a href\\=[\"]{0,1}(*)[\"]{0,1}>/i","[A HREF=\$1]",$desc);
$desc=str_replace(array("<",">"),array("&lt;","&gt;"),$desc);
$desc=str_replace(array("[OL]","","","[LI]","","","[BR]","","","
","","","","","","","",""),array("","<UL>","","<LI>","</LI>","</A>","
","","","<CENTER>","</CENTER>","</FONT>","

","</P>","","","<U>","</U>"),$desc);
$desc=preg_replace("/\\[FONT SIZE\\=([\\+\\-0-9]*)\\]/","<FONT SIZE=\$1>",$desc);
$desc=preg_replace("/\\[FONT COLOR\\=([\\#0-9A-Za-z]*)\\]/","<FONT COLOR=\$1>",$desc);
$desc=preg_replace("/\\[FONT SIZE\\=([\\+\\-0-9]*) COLOR\\=([\\#0-9A-Za-z]*)\\]/","<FONT SIZE=\$1 COLOR=\$2>",$desc);
$desc=preg_replace("/\\[A HREF\\=([a-zA-Z0-9\\.\\-_:@%\\/\\;\\$\\(\\)~\\?\\+\\\\&]*)\\]/","<A HREF=\$1 TARGET=_blank>",$desc);
$desc=preg_replace("/\\[img width=([0-9]+)\\](.+)\\[\\/[ ]*img\\]/i","<IMG SRC=\"\$2\" BORDER=0 WIDTH=\$1>",$desc);
$desc=preg_replace("/\\[img width=([0-9]+) height=([0-9]+)\\](.+)\\[\\/[ ]*img\\]/i","<IMG SRC=\"\$3\" BORDER=0 WIDTH=\$1 HEIGHT=\$2>",$desc);
$desc=preg_replace("/\\[img height=([0-9]+) widht=([0-9]+)\\](.+)\\[\\/[ ]*img\\]/i","<IMG SRC=\"\$3\" BORDER=0 WIDTH=\$2 HEIGHT=\$1>",$desc);
$desc=preg_replace("/\\[img\\](.+)\\[\\/[ ]*img\\]/i","<IMG SRC=\"\$1\">",$desc);
$desc=preg_replace("/\\[url\\](.+)\\[\\/[ ]*url\\]/i","<A HREF=\"\$1\">\$1</A>",$desc);

$desc=preg_replace("/([^\"^'^=](http|https):\\/\\/[a-zA-Z0-9\\.\\-_:@%\\/\\;\\$\\(\\)~\\?\\+\\\\&]*)/","<A HREF=\"\$1\" TARGET=_blank>\$1</A>",$desc);

return $desc;
}


To use it


echo view_bb("This is MY BB code tool<div onClick='alert(1)'>will not work!</div>");

seanybob
10-29-2009, 03:06 PM
Not too shabby. Being horrid at regular expressions, I would always have trouble with img tags in bbcode when I created my bbcode engine, and I see you took care of those quite nicely.

a_bertrand
10-29-2009, 08:02 PM
The most difficult part was to have automatic links for URLs written within the text. Should all work, maybe there is some cases not covered. I could less preg_replace functions by feeding it with arrays of expressions and replacement, but thought it would be a bit more readable like that.