PHP Preg_Replace Help

[Komakech]

Hey guys.

This is an issue with my regex and I can't understand why!

Code:

$format_search =  array(
      '#\[b\](.*?)\[/b\]#is',
      '#\[i\](.*?)\[/i\]#is',
      '#\[u\](.*?)\[/u\]#is',
      '#\[s\](.*?)\[/s\]#is',
      '#\[quote\](.*?)\[/quote\]#is',
      '#\[size=([1-9]|1[0-9]|20)\](.*?)\[/size\]#is',
      '#\[color=\#?([A-F0-9]{3}|[A-F0-9]{6})\](.*?)\[/color\]#is',
      '#\[url=((?:ftp|https?)://.*?)\](.*?)\[/url\]#i',
      '#\[url\]((?:ftp|https?)://.*?)\[/url\]#i',
      '#\[title=(.*?)\](.*?)\[/title\]#i'
   );
$format_replace = array(
      '<strong>$1</strong>',
      '<em>$1</em>',
      '<span style="text-decoration: underline;">$1</span>',
      '<span style="text-decoration: line-through;">$1</span>',
      '<blockquote>$1</blockquote>',
      '<span style="font-size: $1px;">$2</span>',
      '<span style="color: #$1;">$2</span>',
      '<a href="$1">$2</a>',
      '<a href="$1">$1</a>',
      '<div class="box_header" id="$1"><center>$2</center></div>'
   );
$str = preg_replace($format_search, $format_replace, $str);
   $str = nl2br($str);
   return $str;

Every single BB code I have works perfectly, except the last one [title=blue]Title[/title]

I don't see the problem, can anyone help?

Thanks in advance!

[MentaL]

[s-p-n]

The problem is simple. the regex for the ID of the title accepts all characters. You don't want that. The ']' character is one of many characters you don't want to accept.

FYI, there are possible XSS injections up-and-down this thing..

[Komakech]

The problem is simple. the regex for the ID of the title accepts all characters. You don't want that. The ']' character is one of many characters you don't want to accept.

FYI, there are possible XSS injections up-and-down this thing..

I don't quite understand how to fix it though, would you mind giving me the code for the last one?

'#\[title=(.*?)\](.*?)\[/title\]#i'

As for the XSS injections, I only showed part of the function, I use htmlentities at the very beginning of the function to escape any XSS injections.

[s-p-n]

I don't quite understand how to fix it though, would you mind giving me the code for the last one?

'#\[title=(.*?)\](.*?)\[/title\]#i'

As for the XSS injections, I only showed part of the function, I use htmlentities at the very beginning of the function to escape any XSS injections.

PHP Code:

'#\[title(=([a-z0-9-_\s]*))?\](.*?)\[/title\]#i'
...
'<div class="box_header $2">$3</div>' 


[title=blue]Title Goes Here[/title] (adds class 'blue' to the title)
[title]Title Goes Here[/title] (uses no extra classes)
[title=blue outline box]Title Goes Here[/title] (adds classes, blue, outline, and box)


The reason I didn't use an ID is because IDs are pointless, restrictive and stupid. There is no reason to use IDs in web design unless you want a style attribute that can only be used once in the entire web-page- but that functionality doesn't even work since web designers use the ID incorrectly and browsers force multiple IDs to work, anyway. So never use IDs- they are broken.

You can benefit from making this class-compliant, instead.

[raptor34]

The reason I didn't use an ID is because IDs are pointless, restrictive and stupid. There is no reason to use IDs in web design unless you want a style attribute that can only be used once in the entire web-page- but that functionality doesn't even work since web designers use the ID incorrectly and browsers force multiple IDs to work, anyway. So never use IDs- they are broken.

You can benefit from making this class-compliant, instead.

I'd disagree... If you're using Javascript, ID's are very useful to specify exactly what node to run the code on.

[s-p-n]

I'd disagree... If you're using Javascript, ID's are very useful to specify exactly what node to run the code on.

No they aren't. Between all of the CSS selectors (tags, nth-child, classes), you can live without IDs much easier than you can live with them.

What if an ID is used more than once? Since HTML and similar languages suppress errors and work with error-prone code, all IDs do is make development uncertain- which is a much worse disadvantage than any advantages there may be.