Hey
Most of your question can be asnwer by this one i hope.
I don't know how to make it so <a> would only work, but i know how to make it i could work.
You could change the "<, >" in only <a> tags to [ ] before you take the html tags out then after you could change the "[,]" to "<,>" in only [a] tags or you could just use so forum code here is some that i have made.
////forum code///
function replace_output($str){
$search = array("[b]", "[/b]", "[i]", "[/i]", "[u]", "[/u]", "[br]", "[li]", "[/li]", "[q]","[/q]","[center]","[/center]");
$replace = array("<b>", "</b>", "<i>", "</i>", "<u>", "</u>", "<br>", "<li>", "[/li]","$q1","$q2","<center>","</center>");
$str = str_replace($search, $replace, $str);
$str = eregi_replace("\\[img\\]([^\\[]*)\\[/img\\]","<img src=\"\\1\">",checkImgURL($str));
$str = eregi_replace("\\[aim\\]([^\\[]*)\\[/aim\\]","<a href=\"aim:goim?screenname=\\1\">\\1</a>",$str);
$str = eregi_replace("\\[email\\]([^\\[]*)\\[/email\\]","<a href=\"mailto:\\1\";>\\1</a>",$str);
$str = eregi_replace("\\[url\\]([^\\[]*)\\[/url\\]","<a href=\"\\1\" target=_blank>\\1</a>",checkURL($str));
$str = eregi_replace("\\[url=([^\\[]*)\\]([^\\[]*)\\[/url\\]","<a href=\"\\1\" target=_blank>\\2</a>",checkURL($str));
$str = eregi_replace("\\[color=([^\\[]*)\\]([^\\[]*)\\[/color\\]","<font color=\"\\1\">\\2</font>",$str);
$str = eregi_replace("\\[size=([^\\[]*)\\]([^\\[]*)\\[/size\\]","<font size=\"\\1\">\\2</font>",$str);
$str = $str."</b></a></i></u>";
return $str;
}
//////checkImgURL////
function checkImgURL($url){
if(strstr($url, "www") && !strstr($url, "http://";)){
$url = str_replace("www.","http://www.",$url);
} elseif((!strstr($url, "www") && !strstr($url, "http://";)) || strstr($url, "[img")){
$url_array = explode(" ", $url);
$ii = count($url_array);
for($i = 0; $i < $ii; $i++){
if(strstr($url_array[$i], "[img]") && !strstr($url_array[$i], "[img]http")){
$url_array[$i] = str_replace("[img]","[img]http://",$url_array[$i]);
}
}
$url = implode(" ", $url_array);
}
return $url;
}
/////checkURL/////
function checkURL($url){
if(strstr($url, "www") && !strstr($url, "http://";)){
$url = str_replace("www.","http://www.",$url);
} elseif((!strstr($url, "www") && !strstr($url, "http://";)) || strstr($url, "[url")){
$url_array = explode(" ", $url);
$ii = count($url_array);
for($i = 0; $i < $ii; $i++){
if(strstr($url_array[$i], "[url]") && !strstr($url_array[$i], "[url]http")){
$url_array[$i] = str_replace("[url]","[url]http://",$url_array[$i]);
} elseif(strstr($url_array[$i], "[url=") && !strstr($url_array[$i], "[url=http")){
$url_array[$i] = str_replace("[url=","[url=http://",$url_array[$i]);
}
}
$url = implode(" ", $url_array);
}
return $url;
}
///////////////done/////////////////////
I hope that helps you
From: Dave <dave@xxxxxxxxxxxxxxx>
To: php-general@xxxxxxxxxxxxx
Subject: [NEWBIE] How to allow for <a href> tags but no others?
Date: Fri, 25 Feb 2005 17:36:31 +0900
MIME-Version: 1.0
Received: from lists.php.net ([216.92.131.4]) by mc2-f42.hotmail.com with Microsoft SMTPSVC(6.0.3790.211); Fri, 25 Feb 2005 10:52:06 -0800
Received: from ([216.92.131.4:28767] helo=lists.php.net)by pb1.pair.com (ecelerity HEAD r(5124)) with SMTPid 35/B7-51537-4D37F124 for <dbnm@xxxxxxxxxxx>; Fri, 25 Feb 2005 13:52:05 -0500
Received: (qmail 45356 invoked by uid 1010); 25 Feb 2005 16:58:14 -0000
Received: (qmail 86348 invoked by uid 1010); 25 Feb 2005 16:10:18 -0000
X-Message-Info: JGTYoYF78jH7VGsHZ31QAA+JEDZdsFRzO2tR5TxXPwo=
Return-Path: <php-general-return-209379-dbnm=hotmail.com@xxxxxxxxxxxxx>
X-Host-Fingerprint: 216.92.131.4 lists.php.net Mailing-List: contact php-general-help@xxxxxxxxxxxxx; run by ezmlm
Precedence: bulk
list-help: <mailto:php-general-help@xxxxxxxxxxxxx>
list-unsubscribe: <mailto:php-general-unsubscribe@xxxxxxxxxxxxx>
list-post: <mailto:php-general@xxxxxxxxxxxxx>
Delivered-To: mailing list php-general@xxxxxxxxxxxxx
Delivered-To: ezmlm-scan-php-general@xxxxxxxxxxxxx
Delivered-To: ezmlm-php-general@xxxxxxxxxxxxx
X-Host-Fingerprint: 210.188.175.72 mta3p.point.ne.jp Solaris 2.5-7
User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206)
X-Accept-Language: en-us, en
X-OriginalArrivalTime: 25 Feb 2005 18:52:06.0653 (UTC) FILETIME=[1A4B72D0:01C51B6B]
PHP General,
1. The Situation:
I have a forum in which users can enter text which is then displayed on my web site. I want to be able to allow them to insert their own <a href> tags to provide links. The text is stored in a MySQL database.
2. The Problem:
My understanding is that if the input of HTML tags or other coding elements is left unrestricted, then the potential is there for users to cause damage either maliciously or by accident by inserting scripts or MySQL commands. Although the users who have access to the text input forms have to pass a username and password check first, I would still rather be safe than sorry. Mostly I am concerned about people unfamiliar with HTML inserting incorrect code which may break the page design.
3. The Question:
Can I set up a PHP script which will strictly only allow instances of <a href="???"> and </a> and absolutely nothing else? I would like the default behavior to be that if any other tag element, or use of "<" or ">" be simply deleted from the text before inserting it into the database. I could reject text with incorrect tags altogether, but then I'll be spending a lot of time explaining how to correct code to people who are anxious to get their text on the site. Far better that they at least be able to get basic text up even when they mess up the code they want to insert.
Can this be done?
Will it be sufficient to protect the system against bad code?
4. What I've Done So Far:
I've looked into the *htmlspecialchars()* <http://jp.php.net/manual/en/function.htmlspecialchars.php> and *htmlentities(), thinking that they perhaps could pull out characters used in tags, but they seem to be more for formatting script, not filtering it.* <http://jp.php.net/manual/en/function.htmlentities.php>
I'm assuming I need a string_replace() code of some kind. But I'm lost as to how to specify to allow "<" only when immediately followed by either "a href =" or "/a>" and accept no other instances.
It was when I realized that people might potentially be able to insert some Java Script inside of the quotes after "href=" that I realized I was in over my head.
Any help much appreciated. ** <http://jp.php.net/manual/en/function.htmlentities.php>
-- Dave Gutteridge dave@xxxxxxxxxxxxxxx Tokyo Comedy Store http://www.tokyocomedy.com/english/
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
