Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Checking link syntax of user input

Tags:

php

mysql

I have a site where users can enter comments and descriptions. I allow them to enter links in as well. I use strip_tags with an exception for links. I also add rel="nofollow" through a simple string_replace.

The problem is, if users leave off a double quote at the end of their opening tag, it messes up the html. Any suggestions on how to check for or fix incorrect link syntax?

$comment = $_POST['comment'];
$comment = strip_tags($comment,"<a>");
$comment = str_replace('<a','<a rel="nofollow"',$comment);
$comment = mysql_real_escape_string($comment);

and when outputting

$comment = stripslashes($comment);

echo $comment;

The problem is when users add <a href="www.blah.com> and forget the last double quote, this messes up the way the comment div displays.

like image 228
Brian Avatar asked Aug 30 '11 02:08

Brian


People also ask

What is the syntax of input tag?

Syntax. The <input> tag is written as <input> (no end tag). An <input> tag is typically given a type attribute to specify the type of control, and a name attribute so that the form processor can make a reference to it. Often a value attribute is used to specify the default value of the form control.

How do you get a URL input?

The <input type="url"> defines a field for entering a URL. The input value is automatically validated before the form can be submitted. Tip: Always add the <label> tag for best accessibility practices!

How do I check HTML input?

The checked attribute is a boolean attribute. When present, it specifies that an <input> element should be pre-selected (checked) when the page loads. The checked attribute can be used with <input type="checkbox"> and <input type="radio"> . The checked attribute can also be set after the page load, with a JavaScript.

How do you validate inputs?

Validation should aim to be as accommodating as possible of different forms of input for particular data types. For example, telephone numbers are written with different separators and digit groupings. Your form will be easier to use if it can interpret multiple notations. Also, it is helpful to be liberal with input.


1 Answers

Here's what you have to do:

function fixLink($link) {
    $link = str_replace(array('<a', '"', '</a>'), '', $link);
    $link = str_replace(
        array('=', '>', ' '),
        array('="', '">', '" '),
        $link);
    return '<a rel="nofollow' . $link . '</a>';
}    

echo fixLink('<a href="/index.html>asd</a>') . "\n";
echo fixLink('<a class="awesome" href="/index.html>asd</a>') . "\n";
echo fixLink('<a href="/index.html class="awesome">asd</a>') . "\n";
echo fixLink('<a target="_blank" href="/index.html class="awesome">asd</a>') . "\n";
echo fixLink('<a target="_blank" href="/index.html class="awesome>asd</a>') . "\n";
echo fixLink('<a target="_blank" href="/index.html target="_blank" class="awesome">asd</a>') . "\n";
echo fixLink('<a href="/index.html class=awesome">asd</a>') . "\n";

That will output:

<a rel="nofollow" href="/index.html">asd</a>
<a rel="nofollow" class="awesome" href="/index.html">asd</a>
<a rel="nofollow" href="/index.html" class="awesome">asd</a>
<a rel="nofollow" target="_blank" href="/index.html" class="awesome">asd</a>
<a rel="nofollow" target="_blank" href="/index.html" class="awesome">asd</a>
<a rel="nofollow" target="_blank" href="/index.html" target="_blank" class="awesome">asd</a>
<a rel="nofollow" href="/index.html" class="awesome">asd</a>
like image 138
Book Of Zeus Avatar answered Sep 30 '22 08:09

Book Of Zeus