converting Secure <img> only to real html?

php_lady
php_lady used Ask the Experts™
on
Hello all,
I need some help with php ..
I have a simple php forums that I written ... it accesspets user's posts ...
for security reasons , I need to disable html using htmlspecialchars() function ...
and then I procses the input to convert secure html tags to real html using some thing like :str_replace ('&lt;P&gt;',"<P>",$body);

now , my problem is with <img> tag ....
I want to conevert it to real html only if the "src" parameter contains a real images path (dedected from the extetion:gif,jpg ... etc) .

how can I do it ?!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
how do you store your <img> tags?

Commented:
this is not the question answer for now but have a look
at http://www.php.net/manual/en/function.strip-tags.php
if you want to avoid html tags.
Hey, lady,

It sounded simple to me initially, but its NOT.

It took me 1 and half hour to come out with this,

Check it out,

<?php

$text = "Next image URL is valid one.<IMG src='http://us.i1.yimg.com/us.yimg.com/i/ww/m6v3.gif'> <img src='http://thisisinvalidurl.com/image.jpg'>  The last one was invalid.?";
$text = htmlspecialchars($text);

print "Original text : $text";
print "<hr><hr>";

$new_text = preg_replace_callback("/&lt;img\s{0,}src\s{0,}=\s{0,}['|\"](.*)['|\"]\s{0,}&gt;/iU",'validate_img',$text);
print "Searched and replaced <hr><hr>";
print $new_text;


function validate_img($url)
{    
     print_r($url);
     if($url[1])
     {
          if(@fopen($url[1],'r'))
               return "<img src='$url[1]'>";
          else
               return $url[0];
     }

}
?>


In $text, put up your text which you want to check for img tags.
And do check what it gives you in $new_text !! :)

Regards,
JD
JavaScript Best Practices

Save hours in development time and avoid common mistakes by learning the best practices to use for JavaScript.

Hey IGNORE LAST POST.

It is development version !! ;)
Check this one,


<?php

$text = "Checking ...<IMG src='http://put.valid.url.here/a3a5.gif'> <img src='http://put.invalid.url.here/a3a3.gif'>  End check...";
$text = htmlspecialchars($text);

print "Original text : $text";
print "<hr>";

$new_text = preg_replace_callback("/&lt;img\s{0,}src\s{0,}=\s{0,}['|\"](.*)['|\"]\s{0,}&gt;/iU",'validate_img',$text);
print "Next text :<hr>";
print $new_text;


function validate_img($url)
{    
     if($url[1])
     {
          $fp = @fopen($url[1],'r');
          if($fp)
          {
               fclose($fp);
               return "<img src='$url[1]'>";
          }
          else
               return $url[0];
     }

}
?>

Here important thing  is that I am closing the file pointer if it has been opened.

Regards,
JD
VGR

Commented:
Personally I would rather test the MIME-type returned by the URI in the SRC field of the IMG half-tag ;-)

Imagine your SRC= is a PHP script that sends out a JPEG or a PNG ? (that's my case, fot webcams, for graphics out of data, for special image processing like variable image-of-the-day, etc)

I already did what you did (a forum ; also protecting against some tags, allowing some others) but I never blocked IMG tags. Anyway, if the SRC= does not reference an image, nothing will be displayed. So where is the problem with leaving it as is ?

I may help but explain.

Thanks and regards
I agree with VGR . Why you want to do it? THere are no way to hack system usign <img>. Explorer always check MIME type of returned data from SRC, and will show only if it is real image.

Author

Commented:
Hello all,,,
sorry for being late ;) ....

well ..... I liked dkjariwala answer but not really sure if VGR can come with a better one if I explian more about <img> & security ?

OK ... one of the problems is that IE6 allow javascript to be run from the img tag like this :

and what ?
this means that any hacker can post a javascript that send the cockies used in my forums to him !!!
and there are more problems if the forums dosen't check that the posts are coming using POST method ....

So, what can we do ?

Author

Commented:
Hello all,,,
sorry for being late ;) ....

well ..... I liked dkjariwala answer but not really sure if VGR can come with a better one if I explian more about <img> & security ?

OK ... one of the problems is that IE6 allow javascript to be run from the img tag like this :
<img src="javascript:alert('Hello world')" />


and what ?
this means that any hacker can post a javascript that send the cockies used in my forums to him !!!
and there are more problems if the forums dosen't check that the posts are coming using POST method ....

So, what can we do ?

Author

Commented:
Hello again ,,,

I tried dkjariwala code ....... but it didn't work !
no inamges are displaey at all ...... the <img> tag still not converted to real html !

any idea ? :(
What did you try and what didnt work ?

The code I posted works perfectly.
Please show me the string that you tried.

Regards,
JD

Author

Commented:
hello JD ,,

I noticed that when I use single quotes with the src img then your way works correctly

but when I use double quotes then it dosn't work :(

eg : <img src='path_here'> OK
<img src="path_here">  NOT OK

Author

Commented:
another notice ....
when I use more parameters in the img tag .... the replace function doesn't work correctly
for example when I specify the width and hieght of the image,either before or after the src parameter
I overlooked few things.

Check this code :

<?php

$text = 'Checking ...<IMG height="42" src="http://sparsh/images/main/a3a3.gif" width="32"> <img src=\'http://sparsh/images/main/a3a333.gif\'>  End check...';
$text = htmlspecialchars($text);
$text = str_replace("&quot;",'"',$text);


print "Original text : $text";
print "<hr>";

$new_text = preg_replace_callback("/&lt;img\s{0,}(.*)src\s{0,}=\s{0,}['|\"](.*)['|\"]\s{0,}(.*)&gt;/iU",'validate_img',$text);
print "Next text :<hr>";
print $new_text;


function validate_img($url)
{    
     if($url[2])
     {
          $fp = @fopen($url[2],'r');
          if($fp)
          {
               fclose($fp);
               print "here...";
               return "<img src='$url[2]'>";
          }
          else
               return $url[0];
     }

}
?>

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial