View Full Version : Do you know a script to automatically parse URLs like in this forum?

09-17-2003, 07:11 PM
? :thumbsup:

09-17-2003, 08:45 PM
Yes I do

09-17-2003, 11:28 PM
good 4 u! :rolleyes:

09-17-2003, 11:49 PM
If you're wanting the code...

Grrr, this vb code is driving me nuts.. see file in next post

09-17-2003, 11:53 PM
file here

09-18-2003, 12:15 AM
I didn't think you were going to reply me! :thumbsup:

What I see is that you actually gave the real code to use in this forums! that's great because that is what I've been looking for.

There are several lines in the txt, which one should I modify?

The user sends to the db the urls this way:

and everything between "URL(" and ")URL" must be replaced later on for a real link. How could I do it?

09-18-2003, 12:22 AM
*Shouts for mordred*

The code in the file I posted is about as much as I know, and even that was taken from some forum software :) Mordred or some other regex understanding person will be able to help you more :)

09-18-2003, 12:35 AM
I know I just have to modify some characters in one of those lines, but which one should I use and how?

I'll try everything.

Thanks Nightfire.

09-18-2003, 12:44 AM
Well, it has not been that difficult after all (having already the code, that is). Check it out if you want and tell me if it could give any error:


$url = "bla bla bla URL(http://www.codingforums.com/)URL bla bla bla";

echo preg_replace("/URL\((http:\/\/.+?)\)URL/is","<a href=\"\\1\" target=\"_blank\">\\1</a>",$url);


09-18-2003, 12:48 AM
A modified version of the first regexp would be:

preg_replace("/URL\((.+?)\)URL/", "<a href=\"$1\">$1</a>", $message);

This works, but is not very secure against Cross-Site-Scripting attacks. You can insert a lot of funky javascript code in there.

Here's another one modified for your purpose, taken out of phpBB (and hopefully more secure since they updated exactly this code last week due to an exploit):

preg_replace("#url\(([\w]+?://[^ \"\n\r\t<]*?)\)url#i", "<a href=\"$1\">$1</a>", $message);

Could be that the BBCode of this board eats some backslashes though.

09-18-2003, 01:01 AM
Thanks Mordred, that's what I'm going to use. Just one more question: what do you mean with Cross-Site-Scripting attacks? :(

09-18-2003, 10:48 AM
By allowing the user to put content up on the website, he could abuse this service to put a malicious javascript statement online instead of, in your specific case, an ordinary URL.

You may say: "So he got a javascript instead on a page he does not control. What gives?" - but the script runs in the user's browser who accesses the page. It could be used to annoy someone (like launching alert() in an infinite loop) or, much more dangerous, to steal the user's cookie for the site, which might include a session_id for protected login area etc.

This article elaborates on this topic:

Just try to be careful. A good measure is to try hijacking your own site, or let a coworker do that.

09-18-2003, 11:45 AM
I always try to validate everything as much as I can but my very first rule is to replace all < and > to &amplt; and &gt; (HTML is never allowed)

Cheers! :thumbsup: