Paulo Freitas Posted March 19, 2007 Share Posted March 19, 2007 Hi! ;)Actually the e-mail BBCode only display e-mails in raw mode (unsafe, of course). My suggestion is to encode the BBCode input, generating a safe output. A good example of this is the {mailto} function of Smarty, that has two types of encode, JavaScript and hexadecimal code.Beyond the source code of Smarty, follows below my simple'n'poorly implementation of this to exemplify the changes:./sources/classes/bbcode/class_bbcode.phpFind: $txt = preg_replace( "#\[email\](\S+?)\[/email\]#i" , "<a href='mailto:\\1'>\\1</a>", $txt ); $txt = preg_replace( "#\[email\s*=\s*\"\;([\.\w\-]+\@[\.\w\-]+\.[\.\w\-]+)\s*\"\;\s*\](.*?)\[\/email\]#i" , "<a href='mailto:\\1'>\\2</a>", $txt ); $txt = preg_replace( "#\[email\s*=\s*([\.\w\-]+\@[\.\w\-]+\.[\w\-]+)\s*\](.*?)\[\/email\]#i" , "<a href='mailto:\\1'>\\2</a>", $txt ); Replace: function mailencode($address, $text = null) { if (is_null($text)) { $text = $address; } $enc_address = null; $enc_text = null; for ($c = 0; $c < strlen($address); $c++) { $enc_address .= sprintf('%%%x', ord($address{$c})); } for ($c = 0; $c < strlen($text); $c++) { $enc_text .= sprintf('&#x%x;', ord($text{$c})); } return sprintf('<a href="mailto:%s">%s</a>', $enc_address, $enc_text); } $txt = preg_replace( "#\[email\](\S+?)\[/email\]#ei" , "mailencode('\\1')", $txt ); $txt = preg_replace( "#\[email\s*=\s*\"\;([\.\w\-]+\@[\.\w\-]+\.[\.\w\-]+)\s*\"\;\s*\](.*?)\[\/email\]#ei" , "mailencode('\\1', '\\2')", $txt ); $txt = preg_replace( "#\[email\s*=\s*([\.\w\-]+\@[\.\w\-]+\.[\w\-]+)\s*\](.*?)\[\/email\]#ei" , "mailencode('\\1', '\\2')", $txt ); Find: $txt = preg_replace( "#<a href=[\"']mailto:(.+?)['\"]>(.+?)</a>#" , "\[email=\\1\]\\2\[/email\]" , $txt ); Replace: function maildecode($address, $text) { $dec_address = preg_replace('~%([0-9a-f]{2})~ei', 'chr(hexdec("\\1"))', $address); $dec_text = preg_replace('~&#x([0-9a-f]{2});~ei', 'chr(hexdec("\\1"))', $text); return sprintf('[email=%s]%s[/email]', $dec_address, $dec_text); } $txt = preg_replace( "#<a href=[\"']mailto:(.+?)['\"]>(.+?)</a>#e" , "maildecode('\\1', '\\2')" , $txt );Works perfectly. :)Thanks anyway,Paulo Ricardo ;) Link to comment Share on other sites More sharing options...
Strange_Will Posted March 19, 2007 Share Posted March 19, 2007 Couldn't most bots just render the page and grab the info anyway? Link to comment Share on other sites More sharing options...
Paulo Freitas Posted March 19, 2007 Share Posted March 19, 2007 Couldn't most bots just render the page and grab the info anyway?It's possible for the tag content, because uses (X)HTML entities. The href attribute doesn't grabbed by renderization because is an encoded URI. But yes, could be matched and replaced to real e-mail with a regular expression. :unsure:However, this would make it difficult for common bots. Moreover, my code only uses hexadecimal encoding. A JavaScript encoding would be more difficult. :)Regards,Paulo Ricardo ;) Link to comment Share on other sites More sharing options...
Guest Posted March 19, 2007 Share Posted March 19, 2007 interesting suggestion. Link to comment Share on other sites More sharing options...
skysober Posted March 24, 2007 Share Posted March 24, 2007 great suggestion! Javascript good! Link to comment Share on other sites More sharing options...
W13 Posted March 24, 2007 Share Posted March 24, 2007 A mostly secure method (but probably annoying for people that want to copy-paste) will be to find emails in the post input, and use GD to make them into images. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.