[RESOLVED] string find and replace?

atokatim

Ok...here is another one for you all. What would be the easiest way to check if a string has a certain text in it. If it does not, add it, but if it does, do nothing. I don't want it to be case sensitive either.

Inputed text : <embed src="http://www.somesite.com/flash.swf">

output text : <embed allowscriptaccess="never" src="http://www.somesite.com/flash.swf">

if inputed like this : <embed allowscriptaccess="never" src="http://www.somesite.com/flash.swf">

or : <EmBed allowscriptaccess="never" src="http://www.somesite.com/flash.swf">

comes out as : <embed allowscriptaccess="never" src="http://www.somesite.com/flash.swf">

here is what i have been trying :

if (!is_int(strpos('<embed allowscriptaccess="never" ', $about))){
	$about = str_replace("<embed ", '<embed allowscriptaccess="never" ', $about);
}

// or.....

if (strpos('<embed allowscriptaccess="never" ', $about) === false){
	$about = str_replace("<embed ", '<embed allowscriptaccess="never" ', $about);
}

any ideas?

atokatim

nevermind, i got it.

i used :

$isembed = eregi('<embed allowscriptaccess=', $toreplace);
if($isembed != 1){
	$toreplace = eregi_replace("<embed ", '<embed allowscriptaccess="never" ', $toreplace);
}

atokatim

ok, i thought i got it, but i removed a vital part of the script.

How would you get the eregi() function to check for " ? i need to look for <embed allowscriptaccess="never" with the quotes. that seems to be my problem. any ideas?

laserlight

Basically, for every embed tag (which is non-standard, by the way) that does not have the attribute allowscriptaccess="never", you want to add that attribute?

atokatim

yes, if a user enters any <embed> command in their profile, it will add allowscriptaccess="never" this is to prevent any javascript attacks on users through any flash content that may call for javascripts

laserlight

hmm... this seems to work:

$text = preg_replace('#\<embed(.*?)\>#i', '<embed allowscriptaccess="never"\1>', $text);

There is no need to check for a match first since the replacing must find a match before any replace can take place.

atokatim

well, that worked...but....if <embed allowscriptaccess="never" is already there, it still puts another allowscriptaccess="never"

if i run it again, it adds another one. is there a way to check to see if allowscriptaccess="never" is already there? If it is, don't do anything?

laserlight

if i run it again, it adds another one. is there a way to check to see if allowscriptaccess="never" is already there? If it is, don't do anything?

hmm... looks like I was mistaken then. One does have to scan for that first.

if (preg_match('#<embed.*?allowscriptaccess=(\'|")?never(\'|")?.*?>#i', $text) == 0) {
	$text = preg_replace('#<embed(.*?)>#i', '<embed allowscriptaccess="never"\1>', $text);
}

atokatim

Still not working 🙁 it is still adding another allowscriptaccess="never" blah....i know if there is a will, there is a way!

oh....and it cannot be case sensitive either just incase someone uses <EMBED AllowScriptAccess="never" I swear i ask of too much, but i really appreciate you helping me!

laserlight

hmm... are you having problems when there are more than one embed tag? Logically that is rather unlikely to happen, but I dont think my regex handles it.

and it cannot be case sensitive either just incase someone uses <EMBED AllowScriptAccess="never"

It isnt case sensitive.

Weedpacket

Modifying laserlight's code to put a negative assertion in:

 $text = preg_replace('#<embed((?:(?!allowscriptaccess="never").)*?)>#i', '<embed allowscriptaccess="never"\1>', $text);

Of course, as laserlight noted, <embed> has been deprecated, in favour of <object>.

atokatim

i am using this in a function so that when someone updates their profile, it removes all the things that i do not allow and adds the allowsriptaccess="never" to any embed code that may be in it....no matter how many there are.

still does not work 🙁

here is my code...

function filterout($toreplace) 
{
if($toreplace != ""){
	$toreplace = eregi_replace("<script", "<..", $toreplace);
	$toreplace = eregi_replace("</script>", "</..>", $toreplace);
	$toreplace = str_replace("<?", "", $toreplace);
	$toreplace = str_replace("?>", "", $toreplace);
	//$embedcode = '<embed allowscriptaccess=[\"]never(\")';
	//$isembed = eregi($embedcode, $toreplace);
	//if($isembed != 1){
	//	$toreplace = eregi_replace("<embed ", $embedcode, $toreplace);
	//}
	if (preg_match('#<embed.*?allowscriptaccess=(\'|")?never(\'|")?.*?>#i', $toreplace) == 0) {
		$toreplace = preg_replace('#<embed(.*?)>#i', '<embed allowscriptaccess="never"\1>', $toreplace);
	}
}
return $toreplace;
}

atokatim

anyone?

atokatim

If i took out the quotes in the string that i am trying to find, will that work?

function filterout($toreplace) 
{
if($toreplace != ""){
	$toreplace = eregi_replace("<object", "<..", $toreplace);
	$toreplace = eregi_replace("</object", "</..", $toreplace);
	$toreplace = eregi_replace("<script", "<..", $toreplace);
	$toreplace = eregi_replace("</script", "</..", $toreplace);
	$toreplace = str_replace("<?", "", $toreplace);
	$toreplace = str_replace("?>", "", $toreplace);
	$embedcode = '<embed allowscriptaccess=never';
	$isembed = eregi($embedcode, $toreplace);
	echo $isembed; // Debugging Purposes.
	if($isembed != 1){
		$toreplace = eregi_replace("<embed ", "<embed allowscriptaccess=never ", $toreplace);
	}
}
return $toreplace;
}

the allowscriptaccess=never cannot be overwritten somewhere down in the embed code by allowscriptaccess="always" can it?

example : <embed allowscriptaccess=never src="http://www.somesite.com/flash.swf" allowscriptaccess="always">

would that still not allow script access?

Weedpacket

See reply above?

atokatim

I tried that, and it worked to replace <embed allowscriptaccess="never", but it kept on adding more allowscriptaccess="never" even if there was one already there.

atokatim

This is what i am trying to do in the best way that i can explain this.....

A user has the ability to add code to their profile on my site. I am trying to create a function that will clean up the code if the user is using any html and it is something that i do not want to allow. I have everything working except for if a user enters the <embed> code.

For the embed code, I want to add allowscriptaccess="never" (with or without the quotes) if ANY of the <embed> commands DO NOT already have that in it.

If i enter :

<embed allowscriptaccess=never src="flash.swf">

into one textarea, i want the code to come back as :
<embed allowscriptaccess="never" src="flash.swf"><br>
<embed allowscriptaccess="never" src="flash2.swf"><br>
<embed allowscriptaccess="never" src="flash3.swf"><Br>
<embed allowscriptaccess="never" src="flash.swf">

How would i do this? The problem that i have is i cannot check to see if the <embed> code already has allowscriptaccess="never" because of the quotes.

Weedpacket

Or strip all existing occurrences of allowscriptaccess="never" out of any embed tags that contain it, and then you won't have to check it's there when you're putting it in.

In fact, you'd want to strip all occurrences of "allowscriptaccess" attributes, whatever their value, won't you? Don't forget, too, that there can be whitespace between the = and the attribute name and/or value. To deal with different quoting styles it may be easier to deal with ", ' and separately - so that's three expressions. Which I think are

#<embed([^>]*)allowscriptacess\s*=\s*'[^']*'([^>]*)>#i
#<embed([^>]*)allowscriptacess\s*=\s*"[^"]*"([^>]*)>#i
and finally
#<embed([^>]*)allowscriptacess\s*=\s*[^ >]*([^>]*)>#i
each replaced with
<embed$1 $2>

After that it's trivial to just put 'allowscriptaccess="never"' into all <embed> tags.

What would also be simpler (at least, in PHP5) would be to use the DOM extension:

$doc = @DOMDocument::loadHTML($string);
$embed_tags = $doc->getElementsByTagName("embed");
for($i=0; $i<$embed_tags->length; ++$i)
	$embed_tags->item($i)->setAttribute("allowscriptaccess","never");
echo $doc->saveHTML();

Two drawbacks: since <embed> is not a valid HTML tag, the loadHTML() method needs to have its error messages suppressed with @; and the output HTML ends up with additional tags added so that the string is valid HTML. Well, three drawbacks: it assumes the input is HTML, not text with a few HTML tags thrown in....

comeonbaby

try this please:

$text = str_replace("\\\"", "\"", $text);		
$text = preg_replace("/ allowscriptaccess=[^ ]*never[^ ]*/i", "", $text);
$text = preg_replace("/<embed /i", "<embed allowscriptaccess=\"never\" ", $text);

comeonbaby

i test it worked well, this is my test code:
test.php
<?php
$text = $REQUEST['text'];
if (!empty($submit))
{
$text = str_replace("\\"", "\"", $text);
$text = preg_replace("/ allowscriptaccess=[^ ]never[^ ]/i", "", $text);
$text = preg_replace("/<embed /i", "<embed allowscriptaccess=\"never\" ", $text);
}
?>
<form action="<?php echo $SERVER['PHP_SELF']; ?>">
<textarea name="text" rows="10" cols="150"></textarea><br>
<textarea name="text2" rows="10" cols="150">
<?php
echo $text;
?></textarea>
<input type="submit" name="submit" value="submit">
</form>