How to parse bbcodes safely?

Posted by Emily on Stack Overflow See other posts from Stack Overflow or by Emily
Published on 2010-04-18T04:01:29Z Indexed on 2010/04/18 4:03 UTC
Read the original article Hit count: 474

Filed under:
|
|

I'm trying to parse BBcodes in php but i don't think my code is safe at all.

$Text = preg_replace("(\[color=(.+?)\](.+?)\[\/color\])is","<span style=\"color: $1\">$2</span>",$Text); 

I think you can pass an injection like this and it will work:

[color=<script>alert('gotcha');</script>]

How to improve my regex to only capture the two standar color formats:

[color=red] OR [color=#FF0000]

Thanks

© Stack Overflow or respective owner

Related posts about php

Related posts about regex