trying to make php code work for profile

[Gio~Logist]

How would i make it so that the settings in this code

PHP Code:

            $webpage['text'] = stripslashes($row['text']);
            
            //Check text-formatting settings
            $settingvbcode = iif($row['vbcodeorhtml'] == 'vbcode' AND $vboptions['webpageallowvbcode'] == '1', '1', '0');
            $settinghtml = iif($row['vbcodeorhtml'] == 'html' AND $vboptions['webpageallowhtml'] == '1', '1', '0');
            if($settinghtml == 0 AND $settingvbcode == 0) {
                $settingvbcode = 1;
            }
            
            if($vboptions['webpagesmilies'] == 1 and $row['usesmilies'] == 1) {
                $settingsmilies = 1; } else { $settingsmilies = 0; }
            
            if($settingvbcode == 1) {
                $webpage['text'] = parse_bbcode2($webpage['text'], $settinghtml, 1, $settingsmilies, $settingvbcode);
            }
            if($settinghtml == 1) {
                //Remove scripts!!!
                $webpage['text'] = preg_replace("/(\<script)(.*?)(script>)/si", "", $webpage['text']);
                //Don't hide anything!
                $webpage['text'] = str_replace("<!--", "&lt;!--", $webpage['text']);
                //Allow specified tags (if empty in admin, ALL tags are allowed! SECURITY RISK!)
                if($settinghtml == 1 && !empty($vboptions['allowedhtmltags'])) {
                    $webpage['text'] = strip_tags($webpage['text'], $vboptions['allowedhtmltags']);
                }
            }
            
            //Javascript will not be allowed
            $webpage['text'] = ereg_replace("~<script[^>]*>.+</script[^>]*>~isU", "", $webpage['text']); 
            
            $webpage['hits'] = $row['hits'];
            $webpage['bgcolor'] = $row['bgcolor'];
            $webpage['bordersize'] = $row['bordersize'];
            $webpage['bordercolor'] = $row['bordercolor'];
            $webpage['fontface'] = $row['fontface'];
            $webpage['fontsize'] = $row['fontsize'];
            $webpage['fontcolor'] = $row['fontcolor'];

} 


work for the text in profile fields?

[Gio~Logist]

PHP Code:

   $webpage['text'] = preg_replace("/(\<script)(.*?)(script>)/si", "", $webpage['text']); 
                //Don't hide anything! 
                $webpage['text'] = str_replace("<!--", "&lt;!--", $webpage['text']); 


i believe that alone filters out malicious codes



this code is the one that does pretty much everythign

PHP Code:

            //Check text-formatting settings 
            $settingvbcode = iif($row['vbcodeorhtml'] == 'vbcode' AND $vboptions['webpageallowvbcode'] == '1', '1', '0'); 
            $settinghtml = iif($row['vbcodeorhtml'] == 'html' AND $vboptions['webpageallowhtml'] == '1', '1', '0'); 
            if($settinghtml == 0 AND $settingvbcode == 0) { 
                $settingvbcode = 1; 
            } 
             
            if($vboptions['webpagesmilies'] == 1 and $row['usesmilies'] == 1) { 
                $settingsmilies = 1; } else { $settingsmilies = 0; } 
             
            if($settingvbcode == 1) { 
                $webpage['text'] = parse_bbcode2($webpage['text'], $settinghtml, 1, $settingsmilies, $settingvbcode); 
            } 
            if($settinghtml == 1) { 
                //Remove scripts!!! 
                $webpage['text'] = preg_replace("/(\<script)(.*?)(script>)/si", "", $webpage['text']); 
                //Don't hide anything! 
                $webpage['text'] = str_replace("<!--", "&lt;!--", $webpage['text']); 
                //Allow specified tags (if empty in admin, ALL tags are allowed! SECURITY RISK!) 
                if($settinghtml == 1 && !empty($vboptions['allowedhtmltags'])) { 
                    $webpage['text'] = strip_tags($webpage['text'], $vboptions['allowedhtmltags']); 
                } 
            } 


[Chris M]

Essentially, the following is what is the most secure:

PHP Code:

 if(!(empty($vboptions['allowedhtmltags']))) { 
$webpage['text'] = strip_tags($webpage['text'], $vboptions['allowedhtmltags']); 
} 


But I do not recommend, under any circumstances, enabling HTML anywhere...

Satan

[Gio~Logist]

a code hellsatan has come up with

PHP Code:

if(!(empty($vboptions['allowedhtmltags']))) {  
  
 $post['fieldx'] = strip_tags($post['fieldx'], $vboptions['allowedhtmltags']);  
  
 } 


now if only we can find out where $post[fieldx] is parsed

here's some php i found in member.php

PHP Code:

// *********************
// CUSTOM PROFILE FIELDS
$profilefields = $DB_site->query("
    SELECT profilefieldid, required, title, type, data, def, height
    FROM " . TABLE_PREFIX . "profilefield
    WHERE form = 0 OR 6 OR 7  OR 8" . iif(!can_moderate(), "
        AND hidden = 0") . "
    ORDER BY displayorder
");


$search = array(
    '#(\r\n|\n|\r)#',
    '#(<br />){3,}#', // Replace 3 or more <br /> with two <br />
);
$replace = array(
    '<br />',
    '<br /><br />',
);

while ($profilefield = $DB_site->fetch_array($profilefields))
{
    exec_switch_bg();
    $profilefieldname = "field$profilefield[profilefieldid]";
    if ($profilefield['type'] == 'checkbox' OR $profilefield['type'] == 'select_multiple')
    {
        $data = unserialize($profilefield['data']);
        foreach ($data AS $key => $val)
        {
            if ($userinfo["$profilefieldname"] & pow(2, $key))
            {
                $profilefield['value'] .= iif($profilefield['value'], ', ') . $val;
            }
        }
    }
    else if ($profilefield['type'] == 'textarea')
    {
        $profilefield['value'] = preg_replace($search, $replace, trim($userinfo["$profilefieldname"]));
    }
    else
    {
        $profilefield['value'] = $userinfo["$profilefieldname"];
    }
    if ($profilefield['value'] != '')
    {
        $show['extrainfo'] = true;
    }
    eval('$customfields .= "' . fetch_template('memberinfo_customfields') . '";');

}
// END CUSTOM PROFILE FIELDS
// ************************* 


is this where the $post[fieldx] isparsed?

[sabret00the]

this

PHP Code:

$profilefields = $DB_site->query("
    SELECT profilefieldid, required, title, type, data, def, height
    FROM " . TABLE_PREFIX . "profilefield
    WHERE form = 0 OR 6 OR 7  OR 8" . iif(!can_moderate(), "
        AND hidden = 0") . "
    ORDER BY displayorder
"); 


should be

PHP Code:

$profilefields = $DB_site->query("
    SELECT *
    FROM " . TABLE_PREFIX . "userfield
"); 


[Gio~Logist]

thank you for your input, however, read the thread.... wer'e trying to use the code we put together and/or limits for html in webpage, to work for $post[fieldx]

[sabret00the]

Quote:

Originally Posted by gio~logist

now if only we can find out where $post[fieldx] is parsed

what do you mean by 'parsed'? to my knowledge $post fieldx isn't anywhere within your script as you've described?

basically describe what you mean by parsed.

and having read the thread back, what i originally posted more than stands but alas that's just me.

you select the field then you echo it out, it's that simple.

[Gio~Logist]

hellsatan told me to put

PHP Code:

 if(!(empty($vboptions['allowedhtmltags']))) {   
   
 $post['fieldx'] = strip_tags($post['fieldx'], $vboptions['allowedhtmltags']);   
   
 } 


wherever $post[fieldx] is parsed. he himielf said that he doesnt know where its parsed or even if it is.

however, if theres a way that you know of to allow htlm and/or limit html the same way the webpage does, itll be helpful

there are several codes that have been posted that can be used for this

[sabret00the]

what happened when you input html into the database via the usercp does it appear in the database as you submitted it via your usercp?

[Gio~Logist]

<b> will appear as <b> and every code will jsut appear as is but it wont work