在PHP中显示格式化的用户输入

Home

Backend Development

PHP Tutorial

在PHP中显示格式化的用户输入_PHP

WBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWB

Jun 01, 2016 pm 12:25 PM

output show mark Format user enter

你可以在这个页面下载这个文档附带的文件，也可以在文件下载中的字符处理中下载这个文档描述如何安全显示的有格式的用户输入。我们将讨论没有经过过滤的输出的危险，给出一个安全的显示格式化输出的方法。

　　没有过滤输出的危险

　　如果你仅仅获得用户的输入然后显示它，你可能会破坏你的输出页面，如一些人能恶意地在他们提交的输入框中嵌入javascript脚本：

This is my comment.

＜script language="javascript:

alert('Do something bad here!')">.

　　这样，即使用户不是恶意的，也会破坏你的一些HTML的语句，如一个表格突然中断，或是页面显示不完整。

　　只显示无格式的文本

　　这是一个最简单的解决方案，你只是将用户提交的信息显示为无格式的文本。使用htmlspecialchars()函数，将转化全部的字符为HTML的编码。

　　如＜b>将转变为，这可以保证不会有意想不到的HTML标记在不适当的时候输出。

　　这是一个好的解决方案，如果你的用户只关注没有格式的文本内容。但是，如果你给出一些可以格式化的能力，它将更好一些。

Formatting with Custom Markup Tags

用户自己的标记作格式化

　　你可以提供特殊的标记给用户使用，例如，你可以允许使用[b]...[/b]加重显示，[i]...[/i]斜体显示，这样做简单的查找替换操作就可以了： $output = str_replace("[b]", "＜b>", $output);

$output = str_replace("[i]", "＜i>", $output);

　　再作的好一点，我们可以允许用户键入一些链接。例如，用户将允许输入[link="url"]...[/link]，我们将转换为＜a href="">...＜/a>语句

　　这时，我们不能使用一个简单的查找替换，应该使用正则表达式进行替换：

$output = ereg_replace('[link="([[:graph:]]+)"]', '＜a href="\1">', $output);

ereg_replace()的执行就是：

查找出现[link="..."]的字符串，使用＜a href="..."> 替换它

[[:graph:]]的含义是任何非空字符，有关正则表达式请看相关的文章。

　　在outputlib.php的format_output()函数提供这些标记的转换，总体上的原则是：

　　调用htmlspecialchars()将HTML标记转换成特殊编码，将不该显示的HTML标记过滤掉，然后，将一系列我们自定义的标记转换相应的HTML标记。

请参看下面的源代码：

＜?php

function format_output($output) {

/****************************************************************************

* Takes a raw string ($output) and formats it for output using a special

* stripped down markup that is similar to HTML

****************************************************************************/

$output = htmlspecialchars(stripslashes($output));

/* new paragraph */

$output = str_replace('[p]', '＜p>', $output);

/* bold */

$output = str_replace('[b]', '＜b>', $output);

$output = str_replace('[/b]', '＜/b>', $output);

/* italics */

$output = str_replace('[i]', '＜i>', $output);

$output = str_replace('[/i]', '＜/i>', $output);

/* preformatted */

$output = str_replace('[pre]', '＜pre>', $output);

$output = str_replace('[/pre]', '＜/pre>', $output);

/* indented blocks (blockquote) */

$output = str_replace('[indent]', '＜blockquote>', $output);

$output = str_replace('[/indent]', '＜/blockquote>', $output);

/* anchors */

$output = ereg_replace('[anchor="([[:graph:]]+)"]', '＜a name="\1">＜/a>', $output);

/* links, note we try to prevent javascript in links */

$output = str_replace('[link="javascript', '[link=" javascript', $output);

$output = ereg_replace('[link="([[:graph:]]+)"]', '＜a href="\1">', $output);

$output = str_replace('[/link]', '＜/a>', $output);

return nl2br($output);

}

?>

一些注意的地方:

　　记住替换自定义标记生成HTML标记字符串是在调用htmlspecialchars()函数之后，而不是在这个调用之前，否则你的艰苦的工作在调用htmlspecialchars()后将付之东流。

　　在经过转换之后，查找HTML代码将是替换过的，如双引号"将成为"

nl2br()函数将回车换行符转换为＜br>标记，也要在htmlspecialchars()之后。

　　当转换[links=""] 到＜a href="">, 你必须确认提交者不会插入javascript脚本，一个简单的方法去更改[link="javascript 到 [link=" javascript, 这种方式将不替换，只是将原本的代码显示出来。

outputlib.php

在浏览器中调用test.php，可以看到format_output() 的使用情况

正常的HTML标记不能被使用,用下列的特殊标记替换它:

- this is [b]bold[/b]

- this is [i]italics[/i]

- this is [link="http://www.phpbuilder.com"]a link[/link]

- this is [anchor="test"]an anchor, and a [link="#test"]link[/link] to the anchor

[p]段落

[pre]预先格式化[/pre]

[indent]交错文本[/indent]

这些只是很少的标记，当然，你可以根据你的需求随意加入更多的标记

Conclusion

　　结论

　　这个讨论提供安全显示用户输入的方法，可以使用在下列程序中

留言板

用户建议

系统公告

BBS系统

Statement of this Website

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Hot AI Tools

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress images for free

Clothoff.io

AI clothes remover

AI Hentai Generator

Generate AI Hentai for free.

Hot Article

R.E.P.O. Energy Crystals Explained and What They Do (Yellow Crystal)

3 weeks ago By 尊渡假赌尊渡假赌尊渡假赌

R.E.P.O. Best Graphic Settings

3 weeks ago By 尊渡假赌尊渡假赌尊渡假赌

Assassin's Creed Shadows: Seashell Riddle Solution

2 weeks ago By DDD

R.E.P.O. How to Fix Audio if You Can't Hear Anyone

3 weeks ago By 尊渡假赌尊渡假赌尊渡假赌

WWE 2K25: How To Unlock Everything In MyRise

3 weeks ago By 尊渡假赌尊渡假赌尊渡假赌

Hot Tools

Notepad++7.3.1

Easy-to-use and free code editor

SublimeText3 Chinese version

Chinese version, very easy to use

Zend Studio 13.0.1

Powerful PHP integrated development environment

Dreamweaver CS6

Visual web development tools

SublimeText3 Mac version

God-level code editing software (SublimeText3)

Hot Topics

Where is the login entrance for gmail email?

7460

CakePHP Tutorial

1376

What is the format of the account name of steam

win11 activation key permanent

nyt connections hints and answers

Related knowledge

How to use Xiaohongshu account to find users? Can I find my mobile phone number? Mar 22, 2024 am 08:40 AM

With the rapid development of social media, Xiaohongshu has become one of the most popular social platforms. Users can create a Xiaohongshu account to show their personal identity and communicate and interact with other users. If you need to find a user’s Xiaohongshu number, you can follow these simple steps. 1. How to use Xiaohongshu account to find users? 1. Open the Xiaohongshu APP, click the "Discover" button in the lower right corner, and then select the "Notes" option. 2. In the note list, find the note posted by the user you want to find. Click to enter the note details page. 3. On the note details page, click the "Follow" button below the user's avatar to enter the user's personal homepage. 4. In the upper right corner of the user's personal homepage, click the three-dot button and select "Personal Information"

Windows input encounters hang or high memory usage [Fix] Feb 19, 2024 pm 10:48 PM

The Windows input experience is a key system service responsible for processing user input from various human interface devices. It starts automatically at system startup and runs in the background. However, sometimes this service may automatically hang or occupy too much memory, resulting in reduced system performance. Therefore, it is crucial to monitor and manage this process in a timely manner to ensure system efficiency and stability. In this article, we will share how to fix issues where the Windows input experience hangs or causes high memory usage. The Windows Input Experience Service does not have a user interface, but it is closely related to handling basic system tasks and functions related to input devices. Its role is to help the Windows system understand every input entered by the user.

In Ubuntu systems, the root user is usually disabled. To activate the root user, you can use the passwd command to set a password and then use the su- command to log in as root. The root user is a user with unrestricted system administrative rights. He has permissions to access and modify files, user management, software installation and removal, and system configuration changes. There are obvious differences between the root user and ordinary users. The root user has the highest authority and broader control rights in the system. The root user can execute important system commands and edit system files, which ordinary users cannot do. In this guide, I'll explore the Ubuntu root user, how to log in as root, and how it differs from a normal user. Notice

How to mark minesweeper? -How to change the difficulty of Minesweeper? Mar 18, 2024 pm 06:34 PM

How to mark minesweeper? First, we need to familiarize ourselves with the marking method in Minesweeper. Normally, there are two common marking methods in Minesweeper games: flag marking and question mark marking. The flag mark is used to indicate that there are mines in the block and is a deterministic mark; while the question mark mark indicates that there may be mines in the block, but it is not deterministic. These two marking methods play an important role in the game, helping players to infer which blocks may contain mines, so as to effectively proceed to the next step. Proficient use of these marking methods can improve the player's success rate in the minesweeper game and reduce the risk of stepping on mines. Therefore, when playing the minesweeper game, if the player has mastered the flag mark and question mark mark, when the player is not sure whether there is a mine in a certain square, he can use the question mark mark to mark it.

How to mark multiple locations on Baidu Maps How to mark multiple locations Mar 15, 2024 pm 04:28 PM

There are many functions above, especially for maps that can mark multiple places. When we know some places, we will definitely use some punctuation functions, so that we can bring you a variety of different aspects. Some of the functions you mark will produce distance differences, that is, you can know how far away they are. Of course, some names and detailed information of the above places will also be displayed. However, many netizens may not be familiar with some of the above. The content information is not very clear, so in order to allow everyone to make better choices in various aspects, today the editor will bring you some choices in various aspects, so friends who are interested in ideas, If you are also interested, come and give it a try. Standard

How to write the qq mailbox format? What is the qq mailbox format? Feb 22, 2024 pm 03:40 PM

QQ email: QQ number@qq.com, English QQ email: English or numbers@qq.com, foxmail email account: set up your own account@foxmail.com, mobile phone email account: mobile phone number@qq.com. Tutorial Applicable Model: iPhone13 System: IOS15.3 Version: QQ Mailbox 6.3.3 Analysis 1QQ mailbox has four formats, commonly used QQ mailbox: QQ number@qq.com, English QQ mailbox: English or numbers@qq.com, foxmail Email account: set up your own account@foxmail.com, mobile phone email account: mobile phone number@qq.com. Supplement: What is qq mailbox? 1 The earliest QQ mailbox was only between QQ users

What is sudo and why is it important? Feb 21, 2024 pm 07:01 PM

sudo (superuser execution) is a key command in Linux and Unix systems that allows ordinary users to run specific commands with root privileges. The function of sudo is mainly reflected in the following aspects: Providing permission control: sudo achieves strict control over system resources and sensitive operations by authorizing users to temporarily obtain superuser permissions. Ordinary users can only obtain temporary privileges through sudo when needed, and do not need to log in as superuser all the time. Improved security: By using sudo, you can avoid using the root account during routine operations. Using the root account for all operations may lead to unexpected system damage, as any mistaken or careless operation will have full permissions. and

Analysis of user password storage mechanism in Linux system Mar 20, 2024 pm 04:27 PM

Analysis of user password storage mechanism in Linux system In Linux system, the storage of user password is one of the very important security mechanisms. This article will analyze the storage mechanism of user passwords in Linux systems, including the encrypted storage of passwords, the password verification process, and how to securely manage user passwords. At the same time, specific code examples will be used to demonstrate the actual operation process of password storage. 1. Encrypted storage of passwords In Linux systems, user passwords are not stored in the system in plain text, but are encrypted and stored. L

See all articles