Home  >  Article  >  Backend Development  >  Display formatted user input in PHP_PHP Tutorial

Display formatted user input in PHP_PHP Tutorial

WBOY
WBOYOriginal
2016-07-21 16:10:21813browse


You can download the file that accompanies this document on this page, or in the Character Processing section of File Downloads. This document describes how to safely display formatted user input. We'll discuss the dangers of unsanitized output and give a safe way to display formatted output.

No danger of filtered output

If you just get input from the user and then display it, you may break your output page, as someone could maliciously do in their submitted input box Embed javascript script:

This is my comment.
<script language="javascript:
alert('Do something bad here!')">.

This way, Even if the user is not malicious, some of your HTML statements will be corrupted, such as a table being interrupted suddenly, or the page being displayed incompletely.


Show only unformatted text

This is the simplest solution, you just display the user-submitted information as unformatted text. Use the htmlspecialchars() function to convert all characters into HTML encoding.

For example, which ensures that no unexpected html tags output at inappropriate times.>This is a good solution if your users only care about unformatted text content. But it would be better if you gave it some ability to format.
Formatting with Custom Markup Tags
User's own tags for formatting

You can provide special tags for users to use, for example, you can allow the use of [b]...[/b] Emphasis is displayed, [i]...[/i] is displayed in italics, just do a simple search and replace operation: $output = str_replace("[b]", "<b>", $output);
$output = str_replace("[i]", "<i>", $output);

A little better, we can allow users to type in some links. For example, the user will be allowed to enter [link="url"]...[/link], and we will convert it to <a href="">...</a> statement

At this time, We cannot use a simple find and replace, we should use regular expressions for replacement:
$output = ereg_replace('[link="([[:graph:]]+)"]', '<a href=" \1">', $output);

The execution of ereg_replace() is:
Find the string where [link="..."] appears, use [[:graph:]] means any non-empty character. Please see the related article for regular expressions.


The format_output() function in outputlib.php provides the conversion of these tags. The overall principle is:
Call htmlspecialchars() to convert the HTML tags into special encodings and remove the ones that should not be displayed. HTML tags are filtered out,
and then a series of our custom tags are converted into corresponding HTML tags.
Please see the source code below:
<?php


function format_output($output) {
/****************************************************************************
* Takes a raw string ($output) and formats it for output using a special
* stripped down markup that is similar to HTML
****************************************************************************/

$ output = htmlspecialchars(stripslashes($output));

/* new paragraph */
$output = str_replace('[p]', '<p>', $output);

/* bold */
$output = str_replace('[b]', '<b>', $output);
$output = str_replace('[/b]', '</ b>', $output);

/* italics */
$output = str_replace('[i]', '<i>', $output);
$output = str_replace ('[/i]', '</i>', $output);

/* preformatted */
$output = str_replace('[pre]', '<pre>', $output);
$output = str_replace('[/pre]', '</pre>', $output);

/* indented blocks (blockquote) */
$output = str_replace('[indent]', '<blockquote>', $output);
$output = str_replace('[/indent]', '</blockquote>', $output);

/* anchors */
$output = ereg_replace('[anchor="([[:graph:]]+)"]', '<a name="\1"></a>', $output);

/* links, note we try to prevent javascript in links */
$output = str_replace('[link="javascript', '[link=" javascript', $output );
$output = ereg_replace('[link="([[:graph:]]+)"]', '<a href="\1">', $output);
$ output = str_replace('[/link]', '</a>', $output);

return nl2br($output);
}

?>

Some notes:

Remember to replace the custom tag to generate the HTML tag string after calling the htmlspecialchars() function, not before this call, otherwise your hard work is in the call htmlspecialchars() will be in vain.

After conversion, the search HTML code will be replaced, such as the double quotation mark "will become"

nl2br() function converts the carriage return and line feed character into a

When converting [links=""] to

outputlib.php
Call test.php in the browser, you can see the usage of format_output()

Normal HTML tags cannot be used, replace them with the following special tags It:

- this is [b]bold[/b]
- this is [i]italics[/i]
- this is [link="http://www.phpbuilder .com"]a link[/link]
- this is [anchor="test"]an anchor, and a [link="#test"]link[/link] to the anchor

[p]Paragraph
[pre]Pre-formatted[/pre]
[indent]Interleaved text[/indent]

These are just few tags, of course, you can customize it according to your needs Feel free to add more tags

Conclusion
Conclusion

This discussion provides a method to safely display user input, which can be used in the following programs

Message Board
User Suggestions
System Announcement
BBS System

www.bkjia.comtruehttp: //www.bkjia.com/PHPjc/314278.htmlTechArticleYou can download the file attached to this document on this page, or you can download this in the character processing in the file download Documentation describing how to safely display formatted user input. We...
Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn