You can download the files that are included with this document on this page, or you can download this document in the character processing of the file download that describes how to safely display the formatted user input. We will discuss the dangers of unfiltered output and give a safe way to display formatted output.
No risk of filtering output
If you just get the user's input and then display it, you might break your output page, as some people can maliciously embed JavaScript scripts in their input boxes:
This is my comment.
<script language= "javascript:
Alert (' Do something Bad here! ') " .
In this way, even if the user is not malicious, it will destroy some of your HTML statements, such as a sudden interruption of the table, or the page is not complete display.
Show only unformatted text
This is the simplest solution, you just display the user-submitted information as unformatted text. Using the Htmlspecialchars () function, converts all characters into HTML encoding.
such as <b> will be transformed into <B>, which ensures that no unexpected HTML tags are exported at an inappropriate time.
This is a good solution if your users are only interested in text content that is not formatted. However, if you give some ability to format, it will be better.
Formatting with Custom Markup Tags
User's own tag for formatting
You can provide special tags for users to use, for example, you can allow the use of ... Aggravate the display, ... Italic display, so simple to find the replacement operation can be: $output = Str_replace ("", "<b>", $output);
$output = Str_replace ("", "<i>", $output);
A little better, we can allow the user to type some links. For example, the user will be allowed to enter [link= "url"] ... [/link], we will convert to <a Href= "" ... </a> statements
At this point, we cannot use a simple find substitution and should replace it with a regular expression:
$output = ereg_replace (' \[link= ' ([[: graph:]]+) ' \] ', ' <a Href= ' \\1 ' > ', $output);
The execution of Ereg_replace () is:
Find the string that appears [link= ...], use <a Href= "..." > replace it
[[: Graph:]] means any non-null character, see related articles for regular expressions.
The Format_output () function in outputlib.php provides conversions for these tokens, the overall principle being:
Call Htmlspecialchars () to convert HTML tags to special encodings, filtering out HTML tags that should not be displayed.
Then, we convert a series of our custom tags to the appropriate HTML tags.
Please refer to the following source code:
<?php
function Format_output ($output) {
/****************************************************************************
* Takes a raw string ($output) and formats it for output using a special
* Stripped down markup, that's similar to HTML
****************************************************************************/
$output = Htmlspecialchars (stripslashes ($output));
/* New paragraph */
$output = Str_replace (' [P] ', ' <p> ', $output);
/* Bold */
$output = Str_replace (', ' <b> ', $output);
$output = Str_replace (', ' </b> ', $output);
/* Italics */
$output = Str_replace (', ' <i> ', $output);
$output = Str_replace (', ' </i> ', $output);
/* preformatted */
$output = Str_replace (' [Pre] ', ' <pre> ', $output);
$output = Str_replace (' [/pre] ', ' </pre> ', $output);
/* indented blocks (blockquote) */
$output = Str_replace ('
'
, ' $output = Str_replace ('
', ' </blockquote> ', $output);
/* Anchors */
$output = ereg_replace (' \[anchor= ' ([[: graph:]]+) ' \] ', ' <a Name= ' \\1 ' ></a> ', $output);
/* Links, note we try to prevent JavaScript in links */
$output = Str_replace (' [link= ' JavaScript ', ' [link= ' JavaScript ', $output);
$output = ereg_replace (' \[link= ' ([[: graph:]]+) ' \] ', ' <a Href= ' \\1 ' > ', $output);
$output = Str_replace (' [/link] ', ' </a> ', $output);
Return nl2br ($output);
}
?>
Some places to note:
Remember that replacing a custom tag generates an HTML tag string after calling the Htmlspecialchars () function, not before this call, otherwise your hard work will be wiped out after calling Htmlspecialchars ().
After the conversion, the lookup HTML code will be replaced, such as the double quote "will be"
The NL2BR () function converts the carriage return newline character to the <br> tag, also after Htmlspecialchars ().
When converting [links= "] to <a Href=" ", you must confirm that the submitter does not insert JavaScript script, an easy way to change [link=" JavaScript to [link=] JavaScript, which will not be replaced, Just show the original code.
outputlib.php
You can see the usage of format_output () by calling Test.php in the browser.
Normal HTML tags cannot be used, replace them with the following special tags:
-This is bold
-This is italics
-This is [link= "http://www.phpbuilder.com"]a Link[/link]
-This is [anchor= "test"]an anchor, and a [link= "#test"]link[/link] to the anchor
[P] Paragraph
[Pre] preformatted [/pre]
Interleaved Text
These are just a few signs, and of course you can add more tags to your needs.
Conclusion
Conclusion
This discussion provides a safe way to display user input, which can be used in the following programs
Message boards
User recommendations
System Bulletin
BBS system
Detailed Description: http://php.662p.com/thread-343-1-1.html