How to stop BB Code manipulation?

Question

Hi I recently discovered an issue where people using BB Code to enter links are able to manipulate them.

They are meant to enter something like:

[LINK]http://www.domain.com[/LINK]

However they can enter something like this to make the link color red:

[LINK]http://www.domain.com 'span style="color:red;"'[/LINK]

This is the code which converts it:

$text = preg_replace("/\\[LINK\\\](.*?)\\[\/LINK\\]/is",
                       "<a href='$1' target='_blank'>$1</a>", $text);

Also, I forgot, this is the other type:

[LINK=http://www.domain.com]example text[/LINK]

$text = preg_replace("/\\[LINK\=(.*?)\\\](.*?)\\[\/LINK\\]/is",
                       "<a href='$1' target='_blank'>$2</a>", $text);

Answer 1

Don't allow quotes and such in the url, and strip tags which failed in the first pass:

$text = preg_replace("/\[LINK\]([^'\"\\s]*?)\[\/LINK\]/is",
                               "<a href='$1' target='_blank'>$1</a>", $text);

$text = preg_replace("/\[LINK\](.*?)\[\/LINK\]/is", "<i>(link removed)</i>", $text);

Answer 2

That's very dangerous, especially if your guests are smart enough to start adding onclick handlers onto the link.

As mvds has said, replace all quotations and apostraphes. Sanitising input is essential.

For this particular URL problem however, that won't necesserially help. There are however plenty of regex URL validators which would strip out any naughty little code modifiers from the actual URL.