Hi I recently discovered an issue where people using BB Code to enter links are able to manipulate them.
They are meant to enter something like:
[LINK]http://www.domain.com[/LINK]
However they can enter something like this to make the link color red:
[LINK]http://www.domain.com 'span style="color:red;"'[/LINK]
This is the code which converts it:
$text = preg_replace("/\\[LINK\\\](.*?)\\[\/LINK\\]/is",
"<a href='$1' target='_blank'>$1</a>", $text);
Also, I forgot, this is the other type:
[LINK=http://www.domain.com]example text[/LINK]
$text = preg_replace("/\\[LINK\=(.*?)\\\](.*?)\\[\/LINK\\]/is",
"<a href='$1' target='_blank'>$2</a>", $text);
Don't allow quotes and such in the url, and strip tags which failed in the first pass:
$text = preg_replace("/\[LINK\]([^'\"\\s]*?)\[\/LINK\]/is",
"<a href='$1' target='_blank'>$1</a>", $text);
$text = preg_replace("/\[LINK\](.*?)\[\/LINK\]/is", "<i>(link removed)</i>", $text);