I'm using phpBugtracker and I'm pretty new to php, but I would like to know how to allow backslashes in the comments. I noticed that only backslashes get striped but forward slashes stay. (I did manage to get 1 backslash to show when I put in 5)
Any help is appreciated!
$patterns = array(
'/\r/',
'/</',
'/>/',
'/\n/',
'/(bug)[[:space:]]?(#?)([0-9]+)/i', // matches bug #nn
'/cvs:([^\.\s:,\?!]+(\.[^\.\s:#,\?!]+)*)([:#](rev|r)?)?(\d\.[\d\.]+)?([\W\s])?/i', // matches cvs:filename.php, cvs:filename.php:n.nn or cvs:filename.php#revn.nn
'/<pre>/', // preformatted text
'/<\/pre>/', // preformatted text
);
$replacements = array(
'',
'<',
'>',
'<br>',
"<a href='$me?op=show&bugid=\\3'>\\1 #\\3</a>", // internal link to bug
'\\1\\6', // external link to cvs web interface
'<pre>',
'</pre>',
);
return preg_replace($patterns, $replacements, stripslashes($comments));
The reason the slashes are being stripped is because you are passing $comments through stripslashes. Just pass it in as-is and it should be ok. Worth doing some thorough testing to make sure that won't open up a security hole.
Related
I'm trying to remove <p> and </p> from my JSON rest API output. I did the below but the output it gives me has double slashes like \\r\\n\\r\\n. So how do I change the double slashes to single?
Here's my code
//Remove <p> HTML element and replace with line breaks
$return = str_replace('<p>', '', $return);
$return = str_replace('</p>', '\r\n\r\n', $return);
//Output the data in JSON format without escaping the URL slashes
wp_send_json($return, 200, JSON_UNESCAPED_SLASHES | JSON_PRETTY_PRINT);
Or can the above me more efficient if I use preg_replace?
WordPress does this automatically for security reasons. If you get the result on the user side ( frontend ), you can do this using JavaScript and the following code :
const result = response.data.replace(/\/\//g, "/");
all is okay you Just need to use json_deocde in front side or where you want to print the result
I have a little script here which replaces BB code with HTML code. Everything works fine but the URLs.
$bbextended = array(
"/\[URL=(.*?)\](.*?)\[\/URL\]/i" => "$2"
);
foreach($bbextended as $match=>$replacement){
$bbtext = preg_replace($match, $replacement, $bbtext);
}
Input
[URL="http://somewebsite.come/something"]Some Website Title[/URL]
Output
Some Website Title
There are double-quotes, which obviously isn't that good.
I tried
$bbextended = array(
"/\[URL=\"(.*?)\"\](.*?)\[\/URL\]/i" => "$2"
);
in the code but it didn't work. I also tried to leave out the escape sign and quotes around the $1 in the HTML code but it didn't work neither.
Any ideas?
You should use a real parser for this, such as jBB http://jbbcode.com/
When I
Set the Find string = '/\[URL="(.*?)"\](.*?)\[\/URL\]/i'
and
Set the replace string = '$2'
I get this using simple preg_replace
Some Website Title
Im building a public forum from scratch, and im fine tuning, and testing everything now. Im currently stuck at the function that strips all html tags expect those i use for insering youtube-videoes, and bold/italic tags so that the user atleast has some way of styling their posts. My problem, is that when i use the nl2br2() function for filtering my post-string, it dosnt strip the html-tags from the string, it works fine if i remove nl2br2() ..? My theory is that the strip_tags() function also strips the native system line breaks \n and \r, so that nl2br2() haven't got any line break to convert. Im actually pretty sure, that's the problem! How can i make those two functions work together? Is there any alternatives to strip_tags()? Or can you somehow tell the function, to stop stripping those linebreaks!!? Its really annoying, been spending lots of hours today trying to figure this out :D any help is much apreaciated!
THIS DIDN'T WORKD:
function nl2br2($string) {
$string = str_replace(array("\r\n", "\r", "\n"), "<br />", $string);
return $string;
}
$str = "$_POST[indlaeg]";
mysql_real_escape_string($str); // PROTECT FROM SQL INJECTIONS THROUGH SINGLE QUOTES ''
strip_tags($str, '<b><i><a><video><br>'); // REMOVE ALL TAGS EXPECT
$str = nl2br2($str); // CONVERT LINE BREAKS TO <br>
THIS DIDN'T WORK EITHER:
$str = mysql_real_escape_string(strip_tags(nl2br2($_POST['indlaeg']), '<b><i><a><video><br>'));
THIS WORKED!!!!
function html2txt($document){
$search = array('#<script[^>]*?>.*?</script>#si', // Strip out javascript
'#<[\/\!]*?[^<>]*?>#si', // Strip out HTML tags
'#<style[^>]*?>.*?</style>#siU', // Strip style tags properly
'#<![\s\S]*?--[ \t\n\r]*>#' // Strip multi-line comments including CDATA );
$text = preg_replace($search, '', $document);
return $text;
}
$str = "$_POST[indlaeg]";
$str = html2txt($str);
$str = nl2br2($str);
The html2txt() function is sent from heaven! It strips ALL evil-minded tags! Including the single quotes '' that hackers like to use for SQL injection :D
PROBLEM SOLVED!
You’re applying three functions to your string – mysql_real_escape_string, strip_tags and nl2br2. The order should be reversed because mysql_real_escape_string adds a backslash before \n and \r, making the string unable to be processed by nl2br2. If you apply nl2br2 first, strip_tags next and mysql_real_escape_string last, no such problems should arise.
Replace these four lines
$str = "$_POST[indlaeg]";
mysql_real_escape_string($str); // PROTECT FROM SQL INJECTIONS THROUGH SINGLE QUOTES ''
strip_tags($str, '<b><i><a><video><br>'); // REMOVE ALL TAGS EXPECT
$str = nl2br2($str); // CONVERT LINE BREAKS TO <br>
with
$str = $_POST['indlaeg'];
$str = nl2br2($str); // CONVERT LINE BREAKS TO <br>
$str = strip_tags($str, '<b><i><a><video><br>'); // REMOVE ALL TAGS EXCEPT A FEW
$str = mysql_real_escape_string($str); // PROTECT FROM SQL INJECTIONS THROUGH SINGLE QUOTES ''
just a quick question about Regular expressions: Will this code work for any grooming I will need to do? (i.e. Can this be inputted into a database and be safe?)
function markdown2html($text) {
$text = htmlspecialchars($text, ENT_QUOTES, 'UTF-8');
// Strong Emphasis
$text = preg_replace('/__(.+?)__/s', '<strong>$1</strong>', $text);
$text = preg_replace('/\*\*(.+?)\*\*/s', '<strong>$1</strong>', $text);
// Underline
$text = preg_replace('/_([^_]+)_/', '<p style="text-decoration: underline;">$1</p>', $text);
//Italic
$text = preg_replace('/\*([^\*]+)\*/', '<em>$1</em>', $text);
// Windows to Unix
$text = str_replace('\r\n', '\n', $text);
// Macintosh to Unix
$text = str_replace('\r', '\n', $text);
//Paragraphs
$text = '<p>' . str_replace("\n\n", '</p><p>', $text) . '</p>';
$text = str_replace("\n", '<br />', $text);
// [Linked Text](Url)
$text = preg_replace('/\[([^\]]+)]\(([a-z0-9._~:\/?##!$&\'()*+,;=%]+)\)/i', '$1', $text);
return $text;
}
No, absolutely not.
Your code has nothing to do with SQL -- it does not modify ' or \ characters at all. Commingling the formatting functionality of this function with SQL escaping is silly.
Your code may also introduce HTML injection in some situations -- I'm particularly suspicious of the URL linking regex. Without a proper parser involved, I would not trust it an inch.
No, the data can not assured to be safe after passing through that function.
You need to either escape sql-sensitive characters or use PDO/Mysqli. Preapared statements are much more handy anyway.
Don't use the old way of hacking together a query, ie:
$query = 'select * from table where col = '.$value;
You're just asking for trouble there.
A couple of things jumped out at me:
I believe that the first two regexs ('/__(.+?)__/s' and the corresponding one for *) handle ___word___ and ***word*** incorrectly –– they will treat the third character as part of the word, so you will get *word* (where the first * is bold and the trailing one is not) instead of word.
On the third one ('/_([^_]+)_/'), is it really appropriate for
do _not_ do that
to turn into
do <p style="text-decoration: underline;">not</p> do that
?
Of course I’m not saying that it’s OK to use if you fix these issues.
I have a form where users can quote others using bbcode. When somebody push quote button, the textarea value is :
[quote user=User date=1348246887 post=301]
User post text
[/quote]
And now, my code to transform into a block is :
$post = preg_replace("/\[quote user=(.*) date=(.*) post=(.*)](.*)\[\/quote\]/Uis", "<div class=\"quote\"><p>Quote by \\1 at time : \\2 </p><span>\\4</span></div>", $post);
How can i convert the time to date into preg_replace ? In preg_replace i can't do it, because the value of \2 is not set.
Try something like this (I added "test" inside the link, so you could see the link--not sure what you wanted there, but a non-breaking space won't make the link visible.) I used htmlentities for security in case the "subiect" $_GET variable (which maybe you meant to be "subject"?) contained markup or quotes. And of course, you can customize the date() string first argument to your needs. Finally, I added \s+ to allow for more flexible whitespacing. I also changed delimiter '/' to '#' so you don't need to escape '/' within the regex.
Updated for older PHP compatibility:
<?php
$post = <<<HERE
[quote user=User date=1348246887 post=301]
User post text
[/quote]
HERE;
// ] (just adding this comment to fix SO syntax colorer)
function replacer ($matches) {
return '<div class="quote"><p>Quote by '.$matches[1].' at time : '.
date('Y m d', $matches[2]).'<a href="index.php?subject='.
htmlentities($_GET['subiect'], ENT_COMPAT, 'UTF-8').
'&post='.$matches[3].'">test </a></p><span>'.
$matches[4].'</span></div>';
}
$post = preg_replace_callback(
'#\[quote\s+user=(.*)\s+date=(.*)\s+post=(.*)](.*)\[/quote\]#Uis',
'replacer',
$post
);
var_dump($post);
?>