On Thu, Sep 30, 2010 at 06:18:24PM +0200, PyroPeter wrote:
+ $url = str_replace('&','&', $url); + $url = str_replace('&', '&', $url);
What about the occurrences of "&(html-entity-code-here);" you produced the line before?
Nothing? Any occurrence of an HTML entity code is correctly encoded as "&". People shouldn't be able to manually insert HTML entities in comments. The first line is actually even superfluous as I realized just now since ampersands should already have been replaced by htmlspecialchars() before at the time this line is executed (didn't check that before, this part of code has been extracted from the DokuWiki plugin).
+ $patterns[] = '(\b(?i)www?(?-i)\.[' . $host . ']+?\.[' . $host . ']+?[' . $any . ']+?(?=[' . $punc . ']*[^' . $any . ']))'; + $patterns[] = '(\b(?i)ftp?(?-i)\.['. $host . ']+?\.[' . $host . ']+?[' . $any . ']+?(?=[' . $punc . ']*[^' . $any . ']))';
I am not that experienced with PHP, but this looks like the $patterns array got replaced instead of extended.
Nope, it doesn't. Check [1].
+ $comment = htmlspecialchars($comment);
Won't this render the next instruction useless if there are html-characters in a link?
Nope. Links need to be escaped as well. Not sure what happens if a link contains quotes or "<"/">". This shouldn't happen too often tho.
Generally I would not make hostnames ("www.foo.tld") clickable. If people are not able to provide proper URL's, they have a serious problem. (there is also the technical argument that the hostname is not a good indicator for the kind of service the host provides.)
Why not? What if you explicitly want to link to a project's home page? It'll also just convert hostnames if they start with a "www" or "ftp" subdomain, so comments refering to domains in other ways won't be converted. [1] http://www.php.net/manual/de/language.types.array.php#language.types.array.s...