We will discuss the danger of output without filtering, and provide a safe way to display and format the output.
No risk of filtering output
If you only obtain user input and display it, you may destroy your output page. For example, some people can maliciously embed javascript scripts in the input box they submit:
This is my comment.
<Script language = "javascript:
Alert (Do something bad here !) ">.
In this way, even if the user is not malicious, some HTML statements may be damaged, such as a table suddenly interrupted or the page display is incomplete.
Only show unformatted text
This is the simplest solution. You only display the information submitted by users as unformatted text. Use the htmlspecialchars () function to convert all characters into HTML encoding.
For example, if <B> is changed to <B>, this ensures that no unexpected HTML Tag is output when it is inappropriate.
This is a good solution. If your users only pay attention to text content without format. However, if you provide some formatting capabilities, it will be better.
Formatting with Custom Markup Tags
Format your own tags
You can provide special tags for users. For example, you can use [B]... [/B] aggravated display, [I]... [/I] italic display, so you can simply search for and replace: $ output = str_replace ("[B]", "<B>", $ output );
$ Output = str_replace ("[I]", "<I>", $ output );
In addition, we can allow users to type some links. For example, you can enter [link = "url"]... [/link] and convert it to the <a href = "">... </a> statement.
In this case, we cannot use a simple search replacement. We should replace it with a regular expression:
$ Output = ereg_replace ([link = "([: graph:] +)"], <a href = "1">, $ output );
The execution of ereg_replace () is:
Search for the string that appears [link = "..."] and replace it with <a href = "...">
[[: Graph:] indicates any non-null characters. For more information about regular expressions, see related articles.
The format_output () function in outputlib. php provides the conversion of these tags. The general principle is: China Network Management Alliance bitsCN.com
Call htmlspecialchars () to convert the HTML tag to a special encoding, filter out the HTML Tag that should not be displayed, and then convert a series of custom tags to the corresponding HTML Tag.
See the following source code:
<? Php
Function format_output ($ output ){
/*************************************** *************************************
* Takes a raw string ($ output) and formats it for output using a special
* Stripped down markup that is similar to HTML
**************************************** ************************************/
$ Output = htmlspecialchars (stripslashes ($ output ));
/* New paragraph */
$ Output = str_replace ([p], <p>, $ output );
/* Bold */
$ Output = str_replace ([B], <B>, $ output );
$ Output = str_replace ([/B], </B>, $ output );
/* Italics */
$ Output = str_replace ([I], <I>, $ output );
$ Output = str_replace ([/I], </I>, $ output); Network Management bitscn_com
/* Preformatted */
$ Output = str_replace ([pre], <pre>, $ output );
$ Output = str_replace ([/pre], </pre>, $ output );
/* Indented blocks (blockquote )*/
$ Output = str_replace ([indent], <blockquote>, $ output );
$ Output = str_replace ([/indent], </blockquote>, $ output );
/* Anchors */
$ Output = ereg_replace ([anchor = "([: graph:] +)"], <a name = "1"> </a>, $ output );
/* Links, note we try to prevent javascript in links */
$ Output = str_replace ([link = "javascript, [link =" javascript, $ output );
$ Output = ereg_replace ([link = "([: graph:] +)"], <a href = "1">, $ output );
$ Output = str_replace ([/link], </a>, $ output );
Return nl2br ($ output );
}
?>
Notes:
Remember to replace the custom tag to generate an HTML Tag string after you call the htmlspecialchars () function, instead of before calling this function. Otherwise, your hard work will go far after you call htmlspecialchars. Network Management bitscn_com
After conversion, the HTML code to be searched will be replaced, for example, double quotation marks will become"
The nl2br () function converts the carriage return linefeed to the <br> flag, which is also after htmlspecialchars.
When converting [links = ""] to <a href = "">, make sure that the submitter does not insert a javascript script, A simple method is to change [link = "javascript to [link =" javascript. This method will not be replaced, but will only display the original code.
Outputlib. php
Call test. php In the browser to view the usage of format_output ().
Normal HTML tags cannot be used. replace them with the following special tags:
-This is [B] bold [/B]
-This is [I] italics [/I]
-This is [link = "http://www.phpbuilder.com"] a link [/link]
-This is [anchor = "test"] an anchor, and a [link = "# test"] link [/link] to the anchor
[P] Paragraph
[Pre] pre-format [/pre]
[Indent] staggered text [/indent]
These are few tags. Of course, you can add more tags to the network management Alliance bitsCN @ com as needed.
Conclusion
Conclusion
This discussion provides methods for securely displaying user input, which can be used in the following programs
Message Board
User suggestions
System announcement
BBS system