PHP displays formatted user input. You can download the files attached to this document on this page or in character processing of the file download. This document describes how to securely display formatted user input. You can download the files attached to this document on this page or in character processing of the file download. This document describes how to securely display formatted user input. We will discuss the danger of output without filtering, and provide a safe way to display and format the output.
No risk of filtering output
If you only obtain user input and display it, you may destroy your output page. for example, some people can maliciously embed javascript scripts in the input box they submit:
This is my comment.
<Script language = "javascript:
Alert ('Do something bad here! ') ">.
In this way, even if the user is not malicious, some HTML statements may be damaged, such as a table suddenly interrupted or the page display is incomplete.
Only show unformatted text
This is the simplest solution. you only display the information submitted by users as unformatted text. Use the htmlspecialchars () function to convert all characters into HTML encoding.
For example, <B>
This ensures that no unexpected HTML tags are output when they are not appropriate.
This is a good solution. if your users only pay attention to text content without format. However, if you provide some formatting capabilities, it will be better.
Formatting with Custom Markup Tags
Format your own tags
You can provide special tags for users. for example, you can use [B]... [/B] aggravated display, [I]... [/I] italic display, so you can simply search for and replace: $ output = str_replace ("[B]", "<B>", $ output );
$ Output = str_replace ("[I]", "<I>", $ output );
In addition, we can allow users to type some links. For example, you can enter [link = "url"]... [/link] and convert it to the <a href = "">... </a> statement.
In this case, we cannot use a simple search Replacement. we should replace it with a regular expression:
$ Output = ereg_replace ('\ [link = "([: graph:] +)" \]', '<a href = "\ 1"> ', $ output );
The execution of ereg_replace () is:
Search for the string that appears [link = "..."] and replace it with <a href = "...">
[[: Graph:] indicates any non-null characters. For more information about regular expressions, see related articles.
The format_output () function in outputlib. php provides the conversion of these tags. the general principle is:
Call htmlspecialchars () to convert the HTML tag to a special encoding, and filter out the HTML tag that should not be displayed,
Then, convert a series of custom tags into corresponding HTML tags.
See the following source code:
<? Php
Function format_output ($ output ){
/*************************************** *************************************
* Takes a raw string ($ output) and formats it for output using a special
* Stripped down markup that is similar to HTML
**************************************** ************************************/
$ Output = htmlspecialchars (stripslashes ($ output ));
/* New paragraph */
$ Output = str_replace ('[p]', '<p>', $ output );
/* Bold */
$ Output = str_replace ('[B]', '<B>', $ output );
$ Output = str_replace ('[/B]', '</B>', $ output );
/* Italics */
$ Output = str_replace ('[I]', '<I>', $ output );
$ Output = str_replace ('[/I]', '</I>', $ output );
/* Preformatted */
$ Output = str_replace ('[pre]', '<pre>', $ output );
$ Output = str_replace ('[/pre]', '</pre>', $ output );
/* Indented blocks (blockquote )*/
$ Output = str_replace ('[indent]', '<blockquote>', $ output );
$ Output = str_replace ('[/indent]', '</blockquote>', $ output );
/* Anchors */
$ Output = ereg_replace ('\ [anchor = "([[: graph:] +)" \]', '<a name = "\ 1"> </a>', $ output );
/* Links, note we try to prevent javascript in links */
$ Output = str_replace ('[link = "javascript', '[link =" javascript', $ output );
$ Output = ereg_replace ('\ [link = "([: graph:] +)" \]', '<a href = "\ 1"> ', $ output );
$ Output = str_replace ('[/link]', '</a>', $ output );
Return nl2br ($ output );
}
?>
Notes:
Remember to replace the custom tag to generate an HTML tag string after you call the htmlspecialchars () function, instead of before calling this function. Otherwise, your hard work will go far after you call htmlspecialchars.
After conversion, the HTML code to be searched will be replaced, for example, double quotation marks will become"
The nl2br () function converts the carriage return linefeed to the <br> flag, which is also after htmlspecialchars.
When converting [links = ""] to <a href = "">, make sure that the submitter does not insert a javascript script, A simple method is to change [link = "javascript to [link =" javascript. this method will not be replaced, but will only display the original code.
Outputlib. php
Call test. php in the browser to view the usage of format_output ().
Normal HTML tags cannot be used. replace them with the following special tags:
-This is [B] bold [/B]
-This is [I] italics [/I]
-This is [link = "http://www.phpbuilder.com"] a link [/link]
-This is [anchor = "test"] an anchor, and a [link = "# test"] link [/link] to the anchor
[P] paragraph
[Pre] pre-format [/pre]
[Indent] staggered Text [/indent]
These are few tags. of course, you can add more tags as needed.
Conclusion
Conclusion
This discussion provides methods for securely displaying user input, which can be used in the following programs
Message Board
User Suggestions
System announcement
BBS systemBytes. We...
