Custom BB Codes

[monoVertex]

Ok, here's my question: how can I make my own BB codes? Hyperlink, image, text size and all the others? Do I have to search the text for certain codes and use them as some functions, or there is any other way than this 'manual' one? Thanks in advance!

 

[AceHart]

PHP?

$content = preg_replace('/\[b\](.*?)\[\/b\]/i', '<strong>$1</strong>', $content);

 

[monoVertex]

Question: what is '(.*?)' supposed to do? To take whatever is inside the tags? And puts it in $1? Or those were just examples?

 

[AceHart]

Well, that weird-thing-that-looks-like-line-noise is, actually, a regular expression.

This particular example would replace [noparse]"Hey, you!"[/noparse] with "<strong>Hey, you!</strong>".
Yes, all of them (within $content), not just the first one.

 

[monoVertex]

Oh, got it now, thanks a lot for your help!

 

[Persen]

I'd also recommend some sort of filter that, Ace's code, replaces < and > with &lt; and &gt; so noone can input their own HTML and use it for XSS (doesn't matter what it is, it's just not good...)

 

[AceHart]

$content = str_replace(array('<','>'),array('&lt;','&gt;'),$content)

And, rather obviously, should you use it, it needs to run before doing any "BB" replacements...

 

[monoVertex]

Isn't there a function that automatically takes out any html tags? Anyway, the post function won't be accesible for anyone .

 

[AceHart]

strip_tags
But, that takes them out completely.

Just replacing the < and > allows to post something like <div>123</div>, and you still see it.

 

[DDRtists]

I'd recommend doing it the way AceHart said.

 

[monoVertex]

Well, the purpose of the post won't need those. But I'll do that way. Thanks .

 

[phyrex1an]

Remember that the ace way of escaping user input only work as long as it will be inside an element (<div>here</div>) and not in the attribute list (<a href="here">Link</a>).

 

[AceHart]

If you mean the < > thing, it doesn't depend on any tags.

 

[phyrex1an]

Works = Prevents XSS attacks or other nasty stuff.

Escaping < and > is only enough when placing the escaped string inside an element and not in an elements attribute list. In this use case it's enough but it wont be enough if you make an anchor tag.

 

[AceHart]

That's not clearer either.
Got some example?

 

[phyrex1an]

Code:
$content = str_replace(array('<','>'),array('&lt;','&gt;'),$content);
$content = preg_replace('/\[a\](.*?)\[\/a\]/i', '<a href="$1">Click Here</a>', $content);

User input: [a]" onclick="nasty javascript[/a]

Equals: Problems

Ofc, with an anchor tag you must filter input that starts with javascript: too but that's another story

 

[AceHart]

Well, who would ever put unfiltered user input up?

 

[DDRtists]

Hmm...

Just search for nasty tags, just as "JavaScript". xP

 

[Persen]

Actually, I forgot that function^^

 

[monoVertex]

Ok, I used that function for some basic stuff and it worked perfectly, but now I need help again.

Here you gave me the function and I just used it as it is, but I want to learn it, to say so. I tried to follow the manual on php.net, but I admit that I hardly undorstood something... If anyone has the patience to explain me, please . For example, a thing I would like to know would be how to make the url tag. Because, in the url tag you can pass 2 arguments (link and the actual text) and I am confused at it.

Thanks in advance.