I recently discovered an issue where people using BB Code to enter links are

Question

0

Editorial Team

Asked: May 16, 20262026-05-16T06:42:38+00:00 2026-05-16T06:42:38+00:00

I recently discovered an issue where people using BB Code to enter links are

0

I recently discovered an issue where people using BB Code to enter links are able to manipulate them.

They are meant to enter something like:

[LINK=http://www.domain.com]example text[/LINK]

However they can enter something like this to make the link color red:

[LINK=http://www.domain.com 'span style="color:red;"']example text[/LINK]

This is the code which converts it:

$text = preg_replace("/\[LINK\=(.*?)\](.*?)\[\/LINK\]/is", "<a href='$1' target='_blank'>$2</a>", $text);

Someone else was kind enough to provide a solution to a very similar problem but they want me to start a new question for this. Their solution just needs adapting. I have tried myself but I really can’t get it to work. How to stop BB Code manipulation?

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-16T06:42:39+00:00

preg_replace_callback("/\\[LINK\=(.*?)\\\](.*?)\\[\/LINK\\]/is",
    function (array $matches) {
        if (filter_var($matches[1], FILTER_VALIDATE_URL))
            return '<a href="'.
                htmlspecialchars($matches[1], ENT_QUOTES).
                '" target="_blank">'.
                htmlspecialchars($matches[2])."</a>";
        else
            return "INVALID MARKUP";
    }, $text);

Use a callback to validate the URL and don’t forget htmlspecialchars.

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I recently discovered an issue where people using BB Code to enter links are

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply