How to parse bbcodes safely?
Posted
by Emily
on Stack Overflow
See other posts from Stack Overflow
or by Emily
Published on 2010-04-18T04:01:29Z
Indexed on
2010/04/18
4:03 UTC
Read the original article
Hit count: 474
I'm trying to parse BBcodes in php but i don't think my code is safe at all.
$Text = preg_replace("(\[color=(.+?)\](.+?)\[\/color\])is","<span style=\"color: $1\">$2</span>",$Text);
I think you can pass an injection like this and it will work:
[color=<script>alert('gotcha');</script>]
How to improve my regex to only capture the two standar color formats:
[color=red] OR [color=#FF0000]
Thanks
© Stack Overflow or respective owner