You can download the file that came with this document on this page, or you can download the document describing how to safely display the formatted user input in the character processing in the file download. We will discuss the dangers of not filtering out the output, and give a safe way to display the formatted output.
No risk of filtration output
If you just get the user's input and then display it, you may damage your output page, as some people can maliciously embed JavaScript scripts in their input boxes:
This is my comment.
<script language= "javascript:
Alert (' Do something Bad here! ') " ".
In this way, even if the user is not malicious, it will destroy some of your HTML statements, such as a table suddenly interrupted, or the page display is not complete.
Show only unformatted text
This is the simplest solution, and you simply display the information submitted by the user as unformatted text. Using the Htmlspecialchars () function, converts all the characters into HTML encoding.
such as <b> will be converted to <B>, which ensures that no unexpected HTML markup is exported at an inappropriate time.
This is a good solution if your users focus only on unformatted text content. However, if you give some ability to format, it will be better.
Formatting with Custom Markup Tags
Format the user's own markup
You can provide special tags for users to use, for example, you can allow the use of [b] ... [/b] aggravated display, [i] ... [/I] italic display, so do a simple find replacement operation is OK: $output = Str_replace ("[b]", "<b>", $output);
$output = Str_replace ("[I]", "<i>", $output);
To make it better, we can allow the user to type some links. For example, the user will be allowed to enter [link= URL] ... [/link], we will convert to <a Href= "" "... </a> statement
At this point, we cannot use a simple lookup substitution, and we should replace it with a regular expression:
$output = ereg_replace (' \[link= ') ([[: graph:]]+) ' \] ', ' <a Href= ' \\1 ' > ', $output);
The implementation of Ereg_replace () is:
Find the string that appears [link= ...], use <a Href= "..." > replace it
[[: Graph:]] means any non-null character, please see the relevant article about regular expressions.
The Format_output () function in outputlib.php provides conversions of these tags, and the overall principle is:
Call Htmlspecialchars () to convert HTML tags to special encodings and filter out HTML tags that should not be displayed.
Then, we convert a series of our custom tags to the corresponding HTML tags.
Please refer to the source code below:
<?php
function Format_output ($output) {
/****************************************************************************
* Takes a raw string ($output) and formats it for output using a special
* Stripped down markup it similar to HTML
****************************************************************************/
$output = Htmlspecialchars (stripslashes ($output));
* New paragraph * *
$output = Str_replace (' [P] ', ' <p> ', $output);
/* Bold * *
$output = Str_replace (' [b] ', ' <b> ', $output);
$output = Str_replace (' [/b] ', ' </b> ', $output);
* Italics * *
$output = Str_replace (' [i] ', ' <i> ', $output);
$output = Str_replace (' [i] ', ' </i> ', $output);
* preformatted * *
$output = Str_replace (' [Pre] ', ' <pre> ', $output);
$output = Str_replace (' [/pre] ', ' </pre> ', $output);
/* indented blocks (blockquote) * *
$output = Str_replace (' [Indent] ', ' <blockquote> ', $output);
$output = Str_replace (' [/indent] ', ' </blockquote> ', $output);
* Anchors * *
$output = ereg_replace (' \[anchor= ') ([[: graph:]]+) ' \] ', ' <a Name= ' \\1 ' ></a> ', $output);
/* Links, note we try to prevent JavaScript in links */
$output = Str_replace (' [link= ' JavaScript ', ' [link= ' JavaScript ', $output);
$output = ereg_replace (' \[link= ') ([[: graph:]]+) ' \] ', ' <a Href= ' \\1 ' > ', $output);
$output = Str_replace (' [/link] ', ' </a> ', $output);
Return nl2br ($output);
}
?>
Some places to note:
Remember that replacing a custom tag generates an HTML tag string is after calling the Htmlspecialchars () function, not before this call, otherwise your hard work will be in vain after calling Htmlspecialchars ().
After the conversion, the lookup of the HTML code will be replaced, such as double quotes "will become"
The NL2BR () function converts the carriage return newline character to the <br> tag, after Htmlspecialchars ().
When converting [links= "] to <a Href=" ", you must make sure that the submitter does not insert JavaScript script, an easy way to change [link=" JavaScript to [link= "JavaScript, which will not be replaced, Just show the original code.
outputlib.php
Call test.php in the browser to see the use of Format_output ()
A normal HTML tag cannot be used and replaces it with the following special tags:
-this is [b]bold[/b]
-this is [i]italics[/i]
-This is [link= "http://www.phpbuilder.com"]a Link[/link]
-This is [anchor= ' Test ']an anchor, and a [link= ' #test ']link[/link] to the anchor
[P] Paragraph
[Pre] pre-formatted [/pre]
[Indent] Interleaved text [/indent]
These are just a few tags, and of course, you can add more tags to your needs at random.
Conclusion
Conclusion
This discussion provides a safe way to display user input, which can be used in the following programs
Walls
User recommendations
System Bulletin
BBS system
