Results 1 to 3 of 3

Thread: formatting user submitted documents

  1. #1
    Join Date
    Jan 2007
    Location
    Davenport, Iowa
    Posts
    1,875
    Thanks
    92
    Thanked 97 Times in 95 Posts

    Default formatting user submitted documents

    On my site I have many different options for formatting text documents. I use CSS to put select quoted text into colored boxes, text links are hyperlinked, code is properly formatted when put in code tags, and a few other goodies. I do this for my own benefit.

    I am now working on a bigger project where users can log into my site and create articles of their own. I am not too worried about security as I feel fairly comfortable with my knowledge of security safeguards, but I am sure there is still much I need to learn. In fact it is partly due to this that I am having a bit of trouble.

    I am trying to figure out how an article should be processed. A user will create a document and submitted to the database. I do not want the user to be able to submit javascript that will be executed after being retrieved from the database. Is there a way to disable the javascript? Should I echo the html entities when it is retrieved from the database or before it is submitted to the database? I want to be able to process certain tags like bold, anchors, my premade quote tags and code tags using square brackets, but I want <b> to be displayed as <b>. whereas
    PHP Code:
    [b]text[/b
    will be displayed as text.

    Basically, I want to disable javascript hacking. I hope I am making some sense. For the rest I figure a simple str_replace will take care of most issues.
    Last edited by james438; 10-05-2010 at 10:38 PM. Reason: fixed incorrectly formatted code
    To choose the lesser of two evils is still to choose evil. My personal site

  2. #2
    Join Date
    Apr 2008
    Location
    So.Cal
    Posts
    3,643
    Thanks
    63
    Thanked 516 Times in 502 Posts
    Blog Entries
    5

    Default

    if you want to process formatting (bold, italic, etc.) using BBCode-style tags (e.g., [b], [i], etc.), then you can use htmlentities() to display regular html <tags> safely.

    Either before or after may be appropriate, depending on your purpose.

    1) Before. If you NEVER want the <tags> to be used as html, do htmlentities() before saving to the database. the encoded values ( &lt; tag &gt; ) will be saved, and then you're done.

    2) After. If you might want to use the html tags (e.g., if the code block you're displaying is also available for download and use), then save them to the database intact and use htmlentities() when you display it. This offers more flexibility, but a little more risk, as you have to make sure you remember to apply htmlentities() every time.

  3. #3
    Join Date
    Jan 2007
    Location
    Davenport, Iowa
    Posts
    1,875
    Thanks
    92
    Thanked 97 Times in 95 Posts

    Default

    The problem is that I do want html tags to be used as html, but not javascript or css. I think I came up with a solution though.

    urls will be processed prior to being submitted to the database into its bbcode equivalent so that

    PHP Code:
    http://www.animeviews.com 
    will look like [a href="http://www.animeviews.com"]http://www.animeviews.com[/a]
    . When the document is pulled from the database to be displayed, specific bbcode tags will be converted to their html equivalent, but
    Code:
    <script src="ajaxpagination.js" type="text/javascript"> or <style type="text/css"> or 
    <script type="text/javascript" src="http://www.animeviews.com/include/wz_tooltip.js"></script> or 	
    </script>
    <div style="float: left;" id="my_menu" class="sdmenu">
    will be processed as html entities.
    To choose the lesser of two evils is still to choose evil. My personal site

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •