You can download the files attached to this document on this page or in character processing of the file download. This document describes how to securely display formatted user input. We will discuss the danger of output without filtering, and provide a safe way to display and format the output. There is no danger of filtering the output. if you only get the user's input and display it, you can download the file included in this document on this page, you can also download this document in character processing in file downloads to describe how to securely display formatted user input. We will discuss the danger of output without filtering, and provide a safe way to display and format the output.
No risk of filtering output
If you only obtain user input and display it, you may destroy your output page. for example, some people can maliciously embed javascript scripts in the input box they submit:
This is my comment.
<Script language = "javascript:
Alert ('Do something bad here! ') ">.
In this way, even if the user is not malicious, some HTML statements may be damaged, such as a table suddenly interrupted or the page display is incomplete.
Only show unformatted text
This is the simplest solution. you only display the information submitted by users as unformatted text. Use the htmlspecialchars () function to convert all characters into HTML encoding.
For example, <B>
This ensures that no unexpected HTML tags are output when they are not appropriate.
This is a good solution. if your users only pay attention to text content without format. However, if you provide some formatting capabilities, it will be better.
Formatting with Custom Markup Tags
Format your own tags
You can provide special tags for users. for example, you can use [B]... [/B] aggravated display, [I]... [/I] italic display, so you can simply search for and replace: $ output = str_replace ("[B]", "<B>", $ output );
$ Output = str_replace ("[I]", "<I>", $ output );
In addition, we can allow users to type some links. For example, you can enter [link = "url"]... [/link] and convert it to the <a href = "">... </a> statement.
In this case, we cannot use a simple search Replacement. we should replace it with a regular expression:
Search for the string that appears [link = "..."] and replace it with <a href = "...">
[[: Graph:] indicates any non-null characters. For more information about regular expressions, see related articles.
The format_output () function in outputlib. php provides the conversion of these tags. the general principle is:
Call htmlspecialchars () to convert the HTML tag to a special encoding, filter out the HTML tag that should not be displayed, and then convert a series of custom tags to the corresponding HTML tag.
Remember to replace the custom tag to generate an HTML tag string after you call the htmlspecialchars () function, instead of before calling this function. Otherwise, your hard work will go far after you call htmlspecialchars.
After conversion, the HTML code to be searched will be replaced, for example, double quotation marks will become"
The nl2br () function converts the carriage return linefeed to the <br> flag, which is also after htmlspecialchars.
When converting [links = ""] to <a href = "">, make sure that the submitter does not insert a javascript script, A simple method is to change [link = "javascript to [link =" javascript. this method will not be replaced, but will only display the original code.
Outputlib. php
Call test. php in the browser to view the usage of format_output ().
Normal HTML tags cannot be used. replace them with the following special tags:
-This is [B] bold [/B]
-This is [I] italics [/I]
-This is [link = "http://www.phpbuilder.com"] a link [/link]
-This is [anchor = "test"] an anchor, and a [link = "# test"] link [/link] to the anchor
[P] paragraph
[Pre] pre-format [/pre]
[Indent] staggered Text [/indent]
These are few tags. of course, you can add more tags as needed.
Conclusion
Conclusion
This discussion provides methods for securely displaying user input, which can be used in the following programs
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.