Copy link to clipboard
Copied
Howdy people
Irrelevant background info: I've been playing around with trying to write a decent forum for a project I'm on, and I'm concentrating on the security side; htmlEditFormat(), custom url tags and the suchlike and this little issue I have came up.
Imagine for example that a user wants to post a link - through whatever method this gets saved in the db as:
That's all fine. I've done the regex to find the url and anchor text and turn it into a valid hyperlink on the fly. So far, so good.
However, I'd like to stop people being able to post html in the anchor text. Well, not even that necessarily as I could do multiple regex searches to see if they're doing that, but say for a second I just wanted to htmlEditFormat() the anchor text.
Enough talk, here's a standalone, cut down example:
<cfoutput>#reReplaceNoCase('<a href="hello">Something</a>', '(.*)', htmlEditFormat("\1"), 'all')#</cfoutput>
It doesn't error, but it also doesn't perform the htmlEditFormat(). Not a massive surprise if I'm honest, as I suspect the regex pattern and string are just passed off to a java library somewhere which clearly won't understand CF, but I'm surprised it doesn't error. Can anyone think of any way around this?
As I say I appreciate I can just search for special characters and error, but I'd rather get this working for my own sanity if it's at all possible.
Cheers
O.
Copy link to clipboard
Copied
<cfoutput>#reReplaceNoCase('<a href="hello">Something</a>', '(.*)', htmlEditFormat("\1"), 'all')#</cfoutput>
Not a massive surprise if I'm honest, as I suspect the regex pattern and string are just passed off to a java library somewhere which clearly won't understand CF, but I'm surprised it doesn't error.
Why would it error? CF will simply be htmlEditFormat()-ing "\1" before passing it to the regex processor. As neithe backslash nor 1 need escaping, this has no effect, but equally, all you end up doing is replacing everything ( (.*) ) with itself ( \1 ), hence not seeing any change.
I guess you're wanting CF to pass:
htmlEditFormat("\1")
as the substitution string (or like as some sort of callback), but that's not what happens. The CF gets run first, then the result gets passed to the regexc processor.
What you need to do is to check to see if there's anything that needs to be "escaped", then if so: extract it, escape it, then put it back in.
There's no way of doing it in a single hit.
--
Adam
Copy link to clipboard
Copied
CF will simply be htmlEditFormat()-ing "\1" before passing it to the regex processor.
Spot on actually, not really sure what I was thinking. I guess I was thinking it'd to the same replacement on CF functions as it does with the back references.
Annoying but understandable I guess, cheers Adam for taking the time.
O.