Home>Network programming tutorial

Display formatted user input in PHP

Author:Eve Cole Update Time:2009-06-06 18:17:26

We'll discuss the dangers of unsanitized output and give a safe way to display formatted output.

No danger of filtering output


If you just get user input and then display it, you may break your output page, for example someone can maliciously embed javascript in the input box they submit:

This is my comment.

<script language="javascript:

alert ('Do something bad here!')">.


In this way, even if the user is not malicious, some of your HTML statements will be damaged, such as a table being suddenly interrupted, or the page being displayed incompletely.


Show only unformatted text


This is the simplest solution, you just display the user submitted information as unformatted text. Use the htmlspecialchars() function to convert all characters into HTML encoding.


For example, <b> will be converted to <b>, which ensures that no unexpected HTML tags will be output at inappropriate times.

This is a good solution if your users only care about unformatted text content. But it would be better if you gave it some ability to format.

Formatting with Custom Markup Tags

User's own tags for formatting.

You can provide special tags for users to use. For example, you can allow the use of [b]...[/b] to emphasize the display, [i]...[/i ] Italicized display, just do a simple search and replace operation: $output = str_replace("[b]", "<b>", $output);

$output = str_replace("[i]", "<i >", $output);

Even better, we can allow the user to type in some links. For example, the user will be allowed to enter [link="url"]...[/link], which we will convert into a <a href="">...</a> statement.

At this time, we cannot use a simple search Replacement should be done using regular expressions:

$output = ereg_replace('[link="([[:graph:]]+)"]', '<a href="1">', $output);

The execution of ereg_replace() is

to find the string where [link="..."] appears and replace it with <a href="...">

[[:graph:]] means any non-empty character. Please see related articles for regular expressions.

The format_output() function in outputlib.php provides the conversion of these tags. The overall principle is: China Network Management Alliance bitsCN.com

calls htmlspecialchars() to convert HTML tags into special encodings, filter out HTML tags that should not be displayed, and then , convert a series of our custom tags into corresponding HTML tags.

Please see the source code below:

<?php
function format_output($output) {

/****************************************** **********************************
* Takes a raw string ($output) and formats it for output using a special
* stripped down markup that is similar to HTML
*************************************************** ******************************/
$output = htmlspecialchars(stripslashes($output));
/* new paragraph */
$output = str_replace('[p]', '<p>', $output);
/* bold */
$output = str_replace('[b]', '<b>', $output);
$output = str_replace('[/b]', '</b>', $output);
/* italics */
$output = str_replace('[i]', '<i>', $output);
$output = str_replace('[/i]', '</i>', $output);Network management bitscn_com
/* formatted */
$output = str_replace('[pre]', '<pre>', $output);
$output = str_replace('[/pre]', '</pre>', $output);
/* indented blocks (blockquote) */
$output = str_replace('[indent]', '<blockquote>', $output);
$output = str_replace('[/indent]', '</blockquote>', $output);
/* anchors */
$output = ereg_replace('[anchor="([[:graph:]]+)"]', '<a name="1"></a>', $output);
/* links, note we try to prevent javascript in links */
$output = str_replace('[link="javascript', '[link=" javascript', $output);
$output = ereg_replace('[link="([[:graph:]]+)"]', '<a href="1">', $output);
$output = str_replace('[/link]', '</a>', $output);
return nl2br($output);
}
?>

Some notes:

Remember to replace the custom tag to generate the HTML tag string after calling the htmlspecialchars() function, not before this call, otherwise your hard work will be wasted after calling htmlspecialchars() flow.

After

the network management bitscn_com

is converted, the search HTML code will be replaced. For example, the double quotation marks "will become".

The nl2br() function converts the carriage return and line feed characters into <br> tags, which must also be after htmlspecialchars().

When converting [links=""] to <a href="">, you must make sure that the submitter will not insert javascript. A simple way to change [link="javascript to [link=" javascript, this way will No replacement, just display the original code.

outputlib.php

calls test.php in the browser. You can see the usage of format_output().

The normal HTML tag cannot be used. Replace it with the following special tag:

- this is [b]bold[/b]
- this is [i]italics[/i]
- this is [link=" http://www.phpbuilder.com"]a link[/link]
- this is [anchor="test"]an anchor, and a [link="#test"]link[/link] to the anchor

[p]paragraph
[pre]Preformatted[/pre]
[indent]Interlaced text[/indent]

These are just a few tags. Of

course

, you are free to add more tags according to your needs. Network Management Alliance bitsCN@com

ConclusionThis

discussion provides a method for safely displaying user input, which can be used in

Message board users suggest system announcements

in the following programs


BBS system
Related Articles