{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 神经病院院长 的问题《How to stop BB Code manipulation?》','https://www.manongdao.com/q-1004748.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
Hi I recently discovered an issue where people using BB Code to enter links are able to manipulate them.
They are meant to enter something like:
[LINK]http://www.domain.com[/LINK]
However they can enter something like this to make the link color red:
[LINK]http://www.domain.com 'span style="color:red;"'[/LINK]
This is the code which converts it:
$text = preg_replace("/\\[LINK\\\](.*?)\\[\/LINK\\]/is",
"<a href='$1' target='_blank'>$1</a>", $text);
Also, I forgot, this is the other type:
[LINK=http://www.domain.com]example text[/LINK]
$text = preg_replace("/\\[LINK\=(.*?)\\\](.*?)\\[\/LINK\\]/is",
"<a href='$1' target='_blank'>$2</a>", $text);
That's very dangerous, especially if your guests are smart enough to start adding onclick handlers onto the link.
As mvds has said, replace all quotations and apostraphes. Sanitising input is essential.
For this particular URL problem however, that won't necesserially help. There are however plenty of regex URL validators which would strip out any naughty little code modifiers from the actual URL.
Don't allow quotes and such in the url, and strip tags which failed in the first pass: