We will discuss the dangers of unfiltered output and give a safe way to display formatted output.
No risk of filtering output
If you just get the user's input and then display it, you might break your output page, as some people can maliciously embed JavaScript scripts in their input boxes:
This is my comment.
Alert (do something bad here!) " .
In this way, even if the user is not malicious, it will destroy some of your HTML statements, such as a sudden interruption of the table, or the page is not complete display.
Show only unformatted text
This is the simplest solution, you just display the user-submitted information as unformatted text. Using the Htmlspecialchars () function, converts all characters into HTML encoding.
As out, this guarantees that there will be no unexpected HTML markup output at an inappropriate time.
This is a good solution if your users are only interested in text content that is not formatted. However, if you give some ability to format, it will be better.
Formatting with Custom Markup Tags
User's own tag for formatting
You can provide special tags for users to use, for example, you can allow the use of [b] ... [/b] heavier display, [i] ... [/I] italic display, so simple to find the replacement operation can be: $output = Str_replace ("[b]", "
$output = Str_replace ("[I]", "
A little better, we can allow the user to type some links. For example, the user will be allowed to enter [link= "url"] ... [/link], we will convert to
At this point, we cannot use a simple find substitution and should replace it with a regular expression:
$output = Ereg_replace ([link=] ([[: graph:]]+)],
The execution of Ereg_replace () is:
Find the string that appears [link= ...], use
[[: Graph:]] means any non-null character, see related articles for regular expressions.
The Format_output () function in outputlib.php provides the conversion of these tokens, the overall principle is: China Network Management Alliance bitscn.com
Call Htmlspecialchars () to convert HTML tags into special encodings, filter out HTML tags that should not be displayed, and then convert a series of our custom tags to the appropriate HTML tags.
Please refer to the following source code:
function Format_output ($output) {
/****************************************************************************
* Takes a raw string ($output) and formats it for output using a special
* Stripped down markup, that's similar to HTML
****************************************************************************/
$output = Htmlspecialchars (stripslashes ($output));
/* New paragraph */
$output = Str_replace ([p], <p>, $output);
/* Bold */
$output = Str_replace ([b], <b>, $output);
$output = Str_replace ([/b], </b>, $output);
/* Italics */
$output = Str_replace ([i], <i>, $output);
$output = Str_replace ([/i], </i>, $output); network Management bitscn_com
/* preformatted */
$output = Str_replace ([pre], <pre>, $output);
$output = Str_replace ([/pre], </pre>, $output);
/* indented blocks (blockquote) */
$output = Str_replace ([indent], <blockquote>, $output);
$output = Str_replace ([/indent], </blockquote>, $output);
/* Anchors */
$output = Ereg_replace ([anchor=] ([[: graph:]]+)], <a Name= "1" ></A>, $output);
/* Links, note we try to prevent JavaScript in links */
$output = Str_replace ([link= "JavaScript, [link=" JavaScript, $output);
$output = Ereg_replace ([link=] ([[: graph:]]+)], <a Href= "1";, $output);
$output = Str_replace ([/link], </a>, $output);
Return nl2br ($output);
}
?>
Some places to note:
Remember that replacing a custom tag generates an HTML tag string after calling the Htmlspecialchars () function, not before this call, otherwise your hard work will be wiped out after calling Htmlspecialchars (). Network Management bitscn_com
After the conversion, the lookup HTML code will be replaced, such as the double quote "will be"
The NL2BR () function converts the carriage return newline character to the
When converting [links= "] to
outputlib.php
You can see the usage of format_output () by calling Test.php in the browser.
Normal HTML tags cannot be used, replace them with the following special tags:
-this is [b]bold[/b]
-this is [i]italics[/i]
-This is [link= "http://www.phpbuilder.com"]a Link[/link]
-This is [anchor= "test"]an anchor, and a [link= "#test"]link[/link] to the anchor
[P] Paragraph
[Pre] preformatted [/pre]
[Indent] Interleaved text [/indent]
These are just a few of the markings, and of course you can add more tags to your needs as you wish. Network Management Alliance Bitscn@com
Conclusion
Conclusion
This discussion provides a safe way to display user input, which can be used in the following programs
Message boards
User recommendations
System Bulletin
BBS system
http://www.bkjia.com/PHPjc/508214.html www.bkjia.com true http://www.bkjia.com/PHPjc/508214.html techarticle we will discuss the dangers of unfiltered output and give a safe way to display formatted output. There is no danger of filtering the output if you just get the user's input and then display ...