php_lady
asked on
converting Secure <img> only to real html?
Hello all,
I need some help with php ..
I have a simple php forums that I written ... it accesspets user's posts ...
for security reasons , I need to disable html using htmlspecialchars() function ...
and then I procses the input to convert secure html tags to real html using some thing like :str_replace ('<P>',"<P>",$body);
now , my problem is with <img> tag ....
I want to conevert it to real html only if the "src" parameter contains a real images path (dedected from the extetion:gif,jpg ... etc) .
how can I do it ?!
I need some help with php ..
I have a simple php forums that I written ... it accesspets user's posts ...
for security reasons , I need to disable html using htmlspecialchars() function ...
and then I procses the input to convert secure html tags to real html using some thing like :str_replace ('<P>',"<P>",$body);
now , my problem is with <img> tag ....
I want to conevert it to real html only if the "src" parameter contains a real images path (dedected from the extetion:gif,jpg ... etc) .
how can I do it ?!
how do you store your <img> tags?
this is not the question answer for now but have a look
at http://www.php.net/manual/en/function.strip-tags.php
if you want to avoid html tags.
at http://www.php.net/manual/en/function.strip-tags.php
if you want to avoid html tags.
Hey, lady,
It sounded simple to me initially, but its NOT.
It took me 1 and half hour to come out with this,
Check it out,
<?php
$text = "Next image URL is valid one.<IMG src='http://us.i1.yimg.com/us.yimg.com/i/ww/m6v3.gif'> <img src='http://thisisinvalidurl.com/image.jpg'> The last one was invalid.?";
$text = htmlspecialchars($text);
print "Original text : $text";
print "<hr><hr>";
$new_text = preg_replace_callback("/&l t;img\s{0, }src\s{0,} =\s{0,}['| \"](.*)['| \"]\s{0,}& gt;/iU",'v alidate_im g',$text);
print "Searched and replaced <hr><hr>";
print $new_text;
function validate_img($url)
{
print_r($url);
if($url[1])
{
if(@fopen($url[1],'r'))
return "<img src='$url[1]'>";
else
return $url[0];
}
}
?>
In $text, put up your text which you want to check for img tags.
And do check what it gives you in $new_text !! :)
Regards,
JD
It sounded simple to me initially, but its NOT.
It took me 1 and half hour to come out with this,
Check it out,
<?php
$text = "Next image URL is valid one.<IMG src='http://us.i1.yimg.com/us.yimg.com/i/ww/m6v3.gif'> <img src='http://thisisinvalidurl.com/image.jpg'> The last one was invalid.?";
$text = htmlspecialchars($text);
print "Original text : $text";
print "<hr><hr>";
$new_text = preg_replace_callback("/&l
print "Searched and replaced <hr><hr>";
print $new_text;
function validate_img($url)
{
print_r($url);
if($url[1])
{
if(@fopen($url[1],'r'))
return "<img src='$url[1]'>";
else
return $url[0];
}
}
?>
In $text, put up your text which you want to check for img tags.
And do check what it gives you in $new_text !! :)
Regards,
JD
Hey IGNORE LAST POST.
It is development version !! ;)
Check this one,
<?php
$text = "Checking ...<IMG src='http://put.valid.url.here/a3a5.gif'> <img src='http://put.invalid.url.here/a3a3.gif'> End check...";
$text = htmlspecialchars($text);
print "Original text : $text";
print "<hr>";
$new_text = preg_replace_callback("/&l t;img\s{0, }src\s{0,} =\s{0,}['| \"](.*)['| \"]\s{0,}& gt;/iU",'v alidate_im g',$text);
print "Next text :<hr>";
print $new_text;
function validate_img($url)
{
if($url[1])
{
$fp = @fopen($url[1],'r');
if($fp)
{
fclose($fp);
return "<img src='$url[1]'>";
}
else
return $url[0];
}
}
?>
Here important thing is that I am closing the file pointer if it has been opened.
Regards,
JD
It is development version !! ;)
Check this one,
<?php
$text = "Checking ...<IMG src='http://put.valid.url.here/a3a5.gif'> <img src='http://put.invalid.url.here/a3a3.gif'> End check...";
$text = htmlspecialchars($text);
print "Original text : $text";
print "<hr>";
$new_text = preg_replace_callback("/&l
print "Next text :<hr>";
print $new_text;
function validate_img($url)
{
if($url[1])
{
$fp = @fopen($url[1],'r');
if($fp)
{
fclose($fp);
return "<img src='$url[1]'>";
}
else
return $url[0];
}
}
?>
Here important thing is that I am closing the file pointer if it has been opened.
Regards,
JD
Personally I would rather test the MIME-type returned by the URI in the SRC field of the IMG half-tag ;-)
Imagine your SRC= is a PHP script that sends out a JPEG or a PNG ? (that's my case, fot webcams, for graphics out of data, for special image processing like variable image-of-the-day, etc)
I already did what you did (a forum ; also protecting against some tags, allowing some others) but I never blocked IMG tags. Anyway, if the SRC= does not reference an image, nothing will be displayed. So where is the problem with leaving it as is ?
I may help but explain.
Thanks and regards
Imagine your SRC= is a PHP script that sends out a JPEG or a PNG ? (that's my case, fot webcams, for graphics out of data, for special image processing like variable image-of-the-day, etc)
I already did what you did (a forum ; also protecting against some tags, allowing some others) but I never blocked IMG tags. Anyway, if the SRC= does not reference an image, nothing will be displayed. So where is the problem with leaving it as is ?
I may help but explain.
Thanks and regards
I agree with VGR . Why you want to do it? THere are no way to hack system usign <img>. Explorer always check MIME type of returned data from SRC, and will show only if it is real image.
ASKER
Hello all,,,
sorry for being late ;) ....
well ..... I liked dkjariwala answer but not really sure if VGR can come with a better one if I explian more about <img> & security ?
OK ... one of the problems is that IE6 allow javascript to be run from the img tag like this :
and what ?
this means that any hacker can post a javascript that send the cockies used in my forums to him !!!
and there are more problems if the forums dosen't check that the posts are coming using POST method ....
So, what can we do ?
sorry for being late ;) ....
well ..... I liked dkjariwala answer but not really sure if VGR can come with a better one if I explian more about <img> & security ?
OK ... one of the problems is that IE6 allow javascript to be run from the img tag like this :
and what ?
this means that any hacker can post a javascript that send the cockies used in my forums to him !!!
and there are more problems if the forums dosen't check that the posts are coming using POST method ....
So, what can we do ?
ASKER
Hello all,,,
sorry for being late ;) ....
well ..... I liked dkjariwala answer but not really sure if VGR can come with a better one if I explian more about <img> & security ?
OK ... one of the problems is that IE6 allow javascript to be run from the img tag like this :
<img src="javascript:alert('Hel lo world')" />
and what ?
this means that any hacker can post a javascript that send the cockies used in my forums to him !!!
and there are more problems if the forums dosen't check that the posts are coming using POST method ....
So, what can we do ?
sorry for being late ;) ....
well ..... I liked dkjariwala answer but not really sure if VGR can come with a better one if I explian more about <img> & security ?
OK ... one of the problems is that IE6 allow javascript to be run from the img tag like this :
<img src="javascript:alert('Hel
and what ?
this means that any hacker can post a javascript that send the cockies used in my forums to him !!!
and there are more problems if the forums dosen't check that the posts are coming using POST method ....
So, what can we do ?
ASKER
Hello again ,,,
I tried dkjariwala code ....... but it didn't work !
no inamges are displaey at all ...... the <img> tag still not converted to real html !
any idea ? :(
I tried dkjariwala code ....... but it didn't work !
no inamges are displaey at all ...... the <img> tag still not converted to real html !
any idea ? :(
What did you try and what didnt work ?
The code I posted works perfectly.
Please show me the string that you tried.
Regards,
JD
The code I posted works perfectly.
Please show me the string that you tried.
Regards,
JD
ASKER
hello JD ,,
I noticed that when I use single quotes with the src img then your way works correctly
but when I use double quotes then it dosn't work :(
eg : <img src='path_here'> OK
<img src="path_here"> NOT OK
I noticed that when I use single quotes with the src img then your way works correctly
but when I use double quotes then it dosn't work :(
eg : <img src='path_here'> OK
<img src="path_here"> NOT OK
ASKER
another notice ....
when I use more parameters in the img tag .... the replace function doesn't work correctly
for example when I specify the width and hieght of the image,either before or after the src parameter
when I use more parameters in the img tag .... the replace function doesn't work correctly
for example when I specify the width and hieght of the image,either before or after the src parameter
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.