Hi! ;)

Actually the e-mail BBCode only display e-mails in raw mode (unsafe, of course). My suggestion is to encode the BBCode input, generating a safe output. A good example of this is the {mailto} function of Smarty, that has two types of encode, JavaScript and hexadecimal code.

Beyond the source code of Smarty, follows below my simple'n'poorly implementation of this to exemplify the changes:

./sources/classes/bbcode/class_bbcode.php

Find:

            $txt = preg_replace( "#\[email\](\S+?)\[/email\]#i"                                                                , "<a href='mailto:\\1'>\\1</a>", $txt );
            $txt = preg_replace( "#\[email\s*=\s*\"\;([\.\w\-]+\@[\.\w\-]+\.[\.\w\-]+)\s*\"\;\s*\](.*?)\[\/email\]#i"  , "<a href='mailto:\\1'>\\2</a>", $txt );
            $txt = preg_replace( "#\[email\s*=\s*([\.\w\-]+\@[\.\w\-]+\.[\w\-]+)\s*\](.*?)\[\/email\]#i"                       , "<a href='mailto:\\1'>\\2</a>", $txt );

Replace:

            function mailencode($address, $text = null)
            {
                if (is_null($text)) {
                    $text = $address;
                }

                $enc_address = null;
                $enc_text    = null;

                for ($c = 0; $c < strlen($address); $c++) {
                    $enc_address .= sprintf('%%%x', ord($address{$c}));
                }

                for ($c = 0; $c < strlen($text); $c++) {
                    $enc_text    .= sprintf('&#x%x;', ord($text{$c}));
                }

                return sprintf('<a href="mailto:%s">%s</a>', $enc_address, $enc_text);
            }

            $txt = preg_replace( "#\[email\](\S+?)\[/email\]#ei"                                                                , "mailencode('\\1')", $txt );
            $txt = preg_replace( "#\[email\s*=\s*\"\;([\.\w\-]+\@[\.\w\-]+\.[\.\w\-]+)\s*\"\;\s*\](.*?)\[\/email\]#ei"  , "mailencode('\\1', '\\2')", $txt );
            $txt = preg_replace( "#\[email\s*=\s*([\.\w\-]+\@[\.\w\-]+\.[\w\-]+)\s*\](.*?)\[\/email\]#ei"                       , "mailencode('\\1', '\\2')", $txt );

Find:

            $txt = preg_replace( "#<a href=[\"']mailto:(.+?)['\"]>(.+?)</a>#"                                   , "\[email=\\1\]\\2\[/email\]"   , $txt );

Replace:

            function maildecode($address, $text)
            {
                $dec_address = preg_replace('~%([0-9a-f]{2})~ei', 'chr(hexdec("\\1"))', $address);
                $dec_text    = preg_replace('~&#x([0-9a-f]{2});~ei', 'chr(hexdec("\\1"))', $text);

                return sprintf('[email=%s]%s[/email]', $dec_address, $dec_text);
            }

            $txt = preg_replace( "#<a href=[\"']mailto:(.+?)['\"]>(.+?)</a>#e"                                   , "maildecode('\\1', '\\2')"   , $txt );

Works perfectly. :)

Thanks anyway,
Paulo Ricardo ;)

Couldn't most bots just render the page and grab the info anyway?

Couldn't most bots just render the page and grab the info anyway?

It's possible for the tag content, because uses (X)HTML entities. The href attribute doesn't grabbed by renderization because is an encoded URI. But yes, could be matched and replaced to real e-mail with a regular expression. :unsure:

However, this would make it difficult for common bots. Moreover, my code only uses hexadecimal encoding. A JavaScript encoding would be more difficult. :)

Regards,
Paulo Ricardo ;)

interesting suggestion.

great suggestion! Javascript good!

A mostly secure method (but probably annoying for people that want to copy-paste) will be to find emails in the post input, and use GD to make them into images.