I know how to fix that. I've got another site project (not Mysidia-related, something custom coded) where I had to create fields for users to post bio data and I've got a whole function on hand ready to check for slashes and that will allow for some safe levels of html while stripping out anything potentially harmful. I haven't gotten around to upgrading the profile bio area in Mysidia, but of course we'd want it the same as the pet one.
Like, at minimum this one should solve the slashes(probably):
PHP Code:
public function validate($data){
$data = trim($data);
$data = stripslashes($data);
$data = htmlspecialchars($data);
return $data;
}
But also these (to allow for some, but not all html... and I made some exceptions that will still allow for some faces to render... and <3 is replaced with ♥ so the bracket is accounted for:
PHP Code:
public function removeStyles($data){
$list = array('cursor', 'position','font','z-index','font-family','font-size','border','border-left','border-right','border-top','border-bottom','border-radius');
$patterns = array();
foreach ($list as $v){
$patterns[]= '/'.$v.'\s*:\s*[^;"]*;?/';
}
return preg_replace($patterns,'', $data);
}
(I have no idea why the syntax highlighting is borked on this one.)
PHP Code:
public function purify($data){
$data = removeStyles($data);
$data = html_entity_decode($data);
$data = str_ireplace('<3','♥',$data);
$data = str_ireplace('_<','_<',$data);
$data = str_replace('D<','D<',$data);
$data = str_replace('D:<','D:<',$data);
$data = str_replace('u<','u<',$data);
$data = str_replace('w<','w<',$data);
$data = str_replace('o<','o<',$data);
$data = str_replace('U<','U<',$data);
$data = str_replace('W<','W<',$data);
$data = str_replace('O<','O<',$data);
$data = str_ireplace('</','</',$data);
$data = str_ireplace('<a href="j','<a href="## ',$data);
$data = str_ireplace('onclick=',' ',$data);
$data = str_ireplace('<a ','<a target="_BLANK" ',$data);
$data = str_ireplace('<strike>','<s>',$data); $data = str_ireplace('</strike>','</s>',$data);
$data = preg_replace('/(<br>){1,}$/', '', $data);
$doc = new DOMDocument();
$doc->loadHTML('<?xml encoding="UTF-8">' . $data);
$data = $doc->saveHTML();
$data = strip_tags($data,'<a><pre><code><b><i><center><u><s><em><sub><sup><strong><br><span><small>');
$data = trim($data);
/* BEGIN URL PARSE*/
$pattern = '/((http|www\.)+(s)?:\/\/[^"\s]+)(?![^<]*>)/';
preg_match_all($pattern, $data, $output);
foreach ($output[0] as $values){ $urls[] = $values; }
foreach($urls as $url) {
$parser = '<a class="chatlink" target="_blank" href="'.$url.'">'.$url."</a>";
$data = str_ireplace($url, $parser, $data);
}
/* END URL PARSE */
}
Run the bio through each of these functions in that order (that's my recommendation, anyway).
Anyway, as far as the Report feature, I've got some free time so I'll put some thought into over the next couple days.
