Display formatted user input in PHP

Source: Internet
Author: User
Tags format html tags regular expression return string
show that you can download the file that came with this document on this page, or you can download this document to describe how to safely display the formatted user input in the character processing in the file download. We will discuss the dangers of not filtering out the output, and give a safe way to display the formatted output.

No risk of filtration output


If you just get the user's input and then display it, you may damage your output page, as some people can maliciously embed JavaScript scripts in their input boxes:


This is my comment.

<script language= "javascript:

Alert (' Do something Bad here! ') " ".


In this way, even if the user is not malicious, it will destroy some of your HTML statements, such as a table suddenly interrupted, or the page display is not complete.


Show only unformatted text


This is the simplest solution, and you simply display the information submitted by the user as unformatted text. Using the Htmlspecialchars () function, converts all the characters into HTML encoding.


such as <b> will be converted to &LT;B&GT, which ensures that no unexpected HTML markup is exported at an inappropriate time.

This is a good solution if your users focus only on unformatted text content. However, if you give some ability to format, it will be better.


Formatting with Custom Markup Tags

Format the user's own markup


You can provide special tags to users, for example, you can allow the use of ...Aggravated display, ...Italic display, so do a simple find replacement operation is OK: $output = Str_replace (" "," <b> ", $output);

$output = Str_replace (""," <i> ", $output);


To make it better, we can allow the user to type some links. For example, the user will be allowed to enter [link= URL] ... [/link], we will convert to <a Href= "" "... </a> statement


At this point, we cannot use a simple lookup substitution, and we should replace it with a regular expression:

$output = ereg_replace (' \[link= ') ([[: graph:]]+) ' \] ', ' <a Href= ' \\1 ' > ', $output);


The implementation of Ereg_replace () is:

Find the string that appears [link= ...], use <a Href= "..." > replace it

[[: Graph:]] means any non-null character, please see the relevant article about regular expressions.


The Format_output () function in outputlib.php provides conversions of these tags, and the overall principle is:


Call Htmlspecialchars () to convert HTML tags to special encodings, filter out HTML tags that should not be displayed, and then convert a series of our custom tags to the corresponding HTML tags.


Please refer to the source code below:

<?php


function Format_output ($output) {

/****************************************************************************

* Takes a raw string ($output) and formats it for output using a special

* Stripped down markup it similar to HTML

****************************************************************************/


$output = Htmlspecialchars (stripslashes ($output));


* New paragraph * *

$output = Str_replace (' [P] ', ' <p> ', $output);


/* Bold * *

$output = Str_replace (' [b] ', ' <b> ', $output);

$output = Str_replace ('
', '

* Italics * *

$output = Str_replace (' [i] ', '
$output = Str_replace ('
', ' </i> ', $output);


* preformatted * *

$output = Str_replace (' [Pre] ', ' <pre> ', $output);

$output = Str_replace (' [/pre] ', ' </pre> ', $output);


/* indented blocks (blockquote) * *

$output = Str_replace (' [Indent] ', ' <blockquote> ', $output);

$output = Str_replace (' [/indent] ', ' </blockquote> ', $output);


* Anchors * *

$output = ereg_replace (' \[anchor= ') ([[: graph:]]+) ' \] ', ' <a Name= ' \\1 ' ></a> ', $output);


/* Links, note we try to prevent JavaScript in links */

$output = Str_replace (' [link= ' JavaScript ', ' [link= ' JavaScript ', $output);

$output = ereg_replace (' \[link= ') ([[: graph:]]+) ' \] ', ' <a Href= ' \\1 ' > ', $output);

$output = Str_replace (' [/link] ', ' </a> ', $output);


Return nl2br ($output);

}


?>


Some places to note:

Remember that replacing a custom tag generates an HTML tag string is after calling the Htmlspecialchars () function, not before this call, otherwise your hard work will be in vain after calling Htmlspecialchars ().


After the conversion, the lookup of the HTML code will be replaced, such as double quotes "will become"


The NL2BR () function converts the carriage return newline character to the <br> tag, after Htmlspecialchars ().


When converting [links= "] to <a Href=" ", you must make sure that the submitter does not insert JavaScript script, an easy way to change [link=" JavaScript to [link= "JavaScript, which will not be replaced, Just show the original code.


outputlib.php


Call test.php in the browser to see the use of Format_output ()


A normal HTML tag cannot be used and replaces it with the following special tags:


-This is Bold

-This is italics

-This is [link= "http://www.phpbuilder.com"]a Link[/link]

-This is [anchor= ' Test ']an anchor, and a [link= ' #test ']link[/link] to the anchor


[P] Paragraph

[Pre] pre-formatted [/pre]

[Indent] Interleaved text [/indent]


These are just a few tags, and of course, you can add more tags to your needs at random.


Conclusion


Conclusion


This discussion provides a safe way to display user input, which can be used in the following programs


Walls

User recommendations

System Bulletin

BBS system

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.