BBCODE Image Restrictions

The 2.0.x discussion forum has been locked; this will remain read-only. The 3.0.x discussion forum has been renamed phpBB Discussion.
Locked
LinkPR
Registered User
Posts: 1
Joined: Mon Jun 12, 2006 4:09 pm

BBCODE Image Restrictions

Post by LinkPR »

After some ammount of testing I think I have found some restrictions for using bbcode image tags.

From what I can tell you cannot include four characters in image tags.
= (spaces) & ?
It also will not accept bbcode images where they don't end in a graphic extension.

If anyone can confirm this (Ive tested on several installations) and add other characters please do so.
AnthraX101
Security Consultant
Posts: 497
Joined: Sun Nov 14, 2004 8:05 pm
Contact:

Post by AnthraX101 »

Two regexes are used to parse IMG bbcode:

Code: Select all

	$text = preg_replace("#\[img\]((http|ftp|https|ftps)://)([^ \?&=\#\"\n\r\t<]*?(\.(jpg|jpeg|gif|png)))\[/img\]#sie", "'[img:$uid]\\1' . str_replace(' ', '%20', '\\3') . '[/img:$uid]'", $text);

Code: Select all

	$patterns[] = "#\[img:$uid\]([^?](?:[^\[]+|\[(?!url))*?)\[/img:$uid\]#i";
What does this mean?

The tag must begin in either:

Code: Select all

http://
ftp://
https://
ftps://
It may next have any characters except:

Code: Select all

space
?
&
=
#
"
newline
carriage return
tab
<
It then must end in:

Code: Select all

.jpg
.jpeg
.gif
.png
In addition, no part of it may contain the string:

Code: Select all

[url
The proper way to allow these characters in image links is to use standard percent encoding within the link. I would not recommend removing any of these characters from the banned list, they are there as a security issue.

AnthraX101
Locked

Return to “2.0.x Discussion”