PHP BBcode 使用 preg_replace() - 防止用户输入 onClick、onKeyPress
我有一个简单的问题(不适合我),好的,首先请看一下:
$msg=preg_replace("/\[b(.*?)\](.*?)\[\/b\]/i", "<b $1>$2</b>", $msg);
好的,在该 regEXP 上, $msg 将替换找到的任何内容并将其放入新的表单中(我不知道如何解释,举个例子怎么样):
它会变成
[b]TEXT[/b]
或者
<b>TEXT</b>
它将变成
[b style="color: red;" title="HELLO"]TEXT[/b]
这
<b style="color: red;" title="HELLO">TEXT</b>
是问题的根源,如果它变成:
[b onclick="SOME TROJAN SCRIPT"]TEXT[/b]
变成
<b onclick="SOME TROJAN SCRIPT">TEXT</b>
我想做的就是替换所有属性 [b 之后attribute1 attribute2...attributeN],该函数将保留这些属性只要它们不以 on 开头(例如 onClick、onMouseOver...)。
我很感激任何建议^^!提前谢谢各位了...
I have a simple question (not for me), ok, at first, please take a look at this:
$msg=preg_replace("/\[b(.*?)\](.*?)\[\/b\]/i", "<b $1>$2</b>", $msg);
Okay, on that regEXP, a $msg will replace any thing found and put it into a new form (I don't know how to explain, how about an example):
It will turn
[b]TEXT[/b]
into
<b>TEXT</b>
Or it will turn
[b style="color: red;" title="HELLO"]TEXT[/b]
into
<b style="color: red;" title="HELLO">TEXT</b>
Here is where the problem springs from, what happen if it turns:
[b onclick="SOME TROJAN SCRIPT"]TEXT[/b]
into
<b onclick="SOME TROJAN SCRIPT">TEXT</b>
And all I want to do is instead of replace all attributes go after [b attribute1 attribute2...attributeN], the function will remain those attributes AS LONG AS THEY DO NOT START WITH on (like onClick, onMouseOver...).
I appreciate for any suggestion ^^! Thank you guys in advanced...
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
PECL 提供BBCode 包。如果您无法安装 PECL 软件包,还有 PEAR 软件包 eqiv。一旦你解决了这个问题,BBCode 的使用将会变得更加容易。
PECL offers a BBCode package. Also PEAR package eqiv, if you can't install PECL packages. Will make working with BBCode's much easier for you... once you work it out.
正则表达式很少是阻止 HTML/JavaScript 相关安全问题的正确工具。
使用 HTML 解析器。
Regex is rarely ever the right tool to stop HTML/JavaScript related security issues.
Use a HTML parser.
列入白名单比列入黑名单要容易得多,特别是因为恶意用户可以通过多种方式混淆 JavaScript。我会列出一份可接受的条目清单,然后从那里开始工作。是的,我意识到他们在技术上可以在那里有任何 css 条目,但是 (1) 你是那个想要允许用户创建自己的 HTML 的人,实际上会引发各种 XSS 头痛,并且 (2) 这只是一个
标签,因此您应该可以使用一小部分允许的 css 命令。This will be far easier to whitelist than blacklist, particularly because of the myriad of ways malicious users can obfuscate the javascript. I would make a list of acceptable entries and work from there instead. Yes, I realize that they could technically have any css entry there, but (1) you're the one who wants to allow users to create their own HTML, practically inviting all sorts of XSS headaches, and (2) this is only a
<b>tag, so you should be OK with a small subset of allowable css commands.你在玩火,但这应该可以解决你眼前的问题:
s/\[b(\s*|\s+(?:(?!(?<=\s)on..*?\s*= \s*['"]).)*?)\](.*?)\[\/b\]/$2<\/b>/xi或 rx =
/\[b(\s*|\s+(?:(?!(?<=\s)on..*?\s*=\s*['"]).)*?) \](.*?)\[\/b\]/和 replacement =
$2<\/b>以及其他一些细微的修复。
编辑示例的测试用例
[b onclick="alert('HELLO');"]HELLO[/b]输出
Your playing with fire but this should cure your immediate problem:
s/\[b(\s*|\s+(?:(?!(?<=\s)on..*?\s*=\s*['"]).)*?)\](.*?)\[\/b\]/<b$1>$2<\/b>/xior rx =
/\[b(\s*|\s+(?:(?!(?<=\s)on..*?\s*=\s*['"]).)*?)\](.*?)\[\/b\]/and replacement =
<b$1>$2<\/b>and some other subtle fixes.
EDIT A test case for sample
[b onclick="alert('HELLO');"]HELLO[/b]Output