BB Code Enhancements - Custom User Pages - Users make pages using html/bbcode on any template safely

Ok this is just something i've been slapping together the past few days, using code from here, google, and whatnot. I didn't write 99% of it, but I thought up the idea!

Ok heres the deal. You want your users to be able to customize a page such as MEMBERINFO. Problem is, really customizations all look EXACTLY the same. So I thought, why not let the users just program their own html css stuff like on myspace, as well as allow bbcode. If it messes up their memberinfo page, so what. Its their own fault and they should fix it. (My members are really a close knit family of computer / car people so I think they can handle this). I trust most of them, but since this mod only allows what you specify, you can't add things like <SCRIPT> tags or php code etc.

The following code works in conjunction with a custom template and an eval'd variable.

To get this to work, you first have to create a new custom profile field. I don't know what the number of this field will be, so you'll have to figure that one out yourself. You should probably specify a multi line field with a lot of space. Once you create the profile field, enter the number in the code below.

Next, you need to create a new template. Call it user_custompage. In this template, put one line...

$mypage


Then, create a plugin and link it to global_start

in the plugin, put the following code...

Code:

function SafeHTML($str, $allow_font = true, $allow_img = true, $allow_lists = true)
{
	$approvedtags = array(
		'p' => 2,   		// 2 means accept all qualifiers: <foo bar>
		'b' => 1,   		// 1 means accept the tag only: <foo>
		'i' => 1,
		'u' => 1,
		's' => 1,
		'a' => 2,
		'em' => 1,
		'br' => 1,
		'strong' => 1,
		'strike' => 1,
		'blockquote' => 1,
		'tt' => 1,
		'hr' => 1,
		'table' => 2,
		'tr' => 2,
		'td' => 2,
		'div' => 2
 
	);

	if ($allow_font == true)
	{
		$approvedtags['font'] = 2;
		$approvedtags['big'] = 1;
		$approvedtags['sup'] = 1;
		$approvedtags['sub'] = 1;
	}

	if ($allow_img == true)
		$approvedtags['img'] = 2;

	if ($allow_lists == true)
	{
		$approvedtags['li'] = 1;
		$approvedtags['ol'] = 1;
		$approvedtags['ul'] = 1;
	}

	$keys = array_keys($approvedtags);

	$str = stripslashes($str);
	$str = eregi_replace("<[[:space:]]*([^>]*)[[:space:]]*>","<\\1>",$str);
	$str = eregi_replace("<a([^>]*)href=\"?([^\"]*)\"?([^>]*)>","<a href=\"\\2\">", $str);

	$tmp = '';
	while (eregi("<([^> ]*)([^>]*)>",$str,$reg))
	{
		$i = strpos($str,$reg[0]);
		$l = strlen($reg[0]);
		if ($reg[1][0] == "/")
			$tag = strtolower(substr($reg[1],1));
		else
			$tag = strtolower($reg[1]);

		if ((in_array($tag, $keys))&&($a = $approvedtags[$tag]))
		{
			if ($reg[1][0] == "/")
				$tag = "</$tag>";
			elseif ($a == 1)
				$tag = "<$tag>";
			else
				$tag = "<$tag " . $reg[2] . ">";
		}
		else
			$tag = '';

		$tmp .= substr($str,0,$i) . $tag;
		$str = substr($str,$i+$l);
	}

	$str = $tmp . $str;

	// Squash PHP tags unconditionally
	$str = ereg_replace("<\?","NO PHP ALLOWED",$str);
        $str = ereg_replace("<?php","NO PHP ALLOWED",$str);

        // Squash SCRIPT Tags unconditionally
        $str = ereg_replace("<script","NO SCRIPT ALLOWED",$str);


	// Squash comment tags unconditionally
	$str = ereg_replace("<!--","NO COMMENT TAGS ALLOWED",$str);

	return $str;
}


function process_message_preview($message)
{
    global $vbulletin, $vbphrase, $stylevar, $show;

    require_once(DIR . '/includes/class_bbcode.php');
    $bbcode_parser =& new vB_BbCodeParser($vbulletin, fetch_tag_list());

    $previewhtml = '';
    if ($previewmessage = $bbcode_parser->do_parse($message, $do_html = true, $do_smilies = true, $do_bbcode = true, $do_imgcode = true, $do_nl2br = true, $cachable = false))
    {
        $previewhtml = $previewmessage;

    }
   
    return $previewhtml;
}  


$mypage = unhtmlspecialchars(process_message_preview($vbulletin->userinfo['field65']));

$mypage = Safehtml($mypage);

eval('$mypage = "' . fetch_template('user_custompage') . '";');

See there where it says 'field65'? Thats where you put your profile field number.

Now all that you have to do is put $mypage in whatever template you want your user's custom profile field html to show.

This is possibly the most unsafe hack ever for your website, but it demonstrates a really cool principal that by specifying which tags a user can use, they can make a website. And yes, if they mess up the code, everyone will see your website all broken.

This is my first whack at posting something i've hacked together, so please bear with me

Here is a link to see it in action. All the stuff you see between the "MOD STARTS HERE" and "MOD STOPS HERE" is a profile field.

http://www.quad4forums.com/test/member.php?u=3472

Here is the code i've entered in the profile field. I spent about 30 seconds on it, so its not a definitive example of whats possible, but it gets the idea across. I've also added the script tag so you can view my page's source and notice its not there.

(I have to use strikeout so vbulletin.org doesn't parse the bbcode)

MOD STARTS HERE
<B><TABLE style="width: 100%; padding: 0px; border: 1px; border: 1px solid #789DB3; background-image: url(http://www.travelblog.org/Wallpaper/pix/waterfall_desktop_background-1600x1200.jpg)"><TD>
<p align="center">
[B]Here is my test page[/B]
[img]http://mediaengine.org/mitcht/gallery/albums/misc/My_Car_010.sized.jpg[/img]
</p>
<TR></TR> </TD></B></table>
<DIV>
<SCRIPT>
<?

MOD ENDS HERE

BTW. This is my test forum, so its not going to be doing much!

[dxflw]

hmm any screen shots?

[carcomp]

Go to that link I just linked you to. A screenshot would be kinda pointless because WHATEVER you write in html, becomes the page. Its so customizable its almost ridiculous. It pretty much exactly duplicated the myspace css thing.

[Jasem]

thank you!

[ahmed-samara]

it's open way to hacker my website by bbcode $ Html that is not secur

[gwerzal]

Will take a look at this

Thanks

[Sweeks]

I would like to see this integrated with the current user customisation options. Allowing HTML and CSS within that would be awesome.
________
Vaporizer Vulcano

[EagleNick]

I don't understand why you striked out the text. Why don't you just use the [noparse] bbcode if you don't want certain code parsed?

[carcomp]

Ok didn't even see that! Also, it *shouldn't* allow hacking because you specify the tags you want. So only allow <B> tag and thats the ONLY html tag that works. Allow the <DIV> tag and that opens up "myspace style" website design. I'm really suprised that hasn't been done before.


FACEPALM!

[monkeyboy1916]

I'm looking for something a bit similar.. but I can make this work for what I need, just having a slight problem..

When I view other profiles, it shows my info where theirs should be (from the newly created field), any idea on a fix?