/** * Format an [img] tag. The URL only allows http, https, and ftp protocols for safety. * * @param BBCode $bbcode The {@link BBCode} object doing the parsing. * @param int $action The current action being performed on the tag. * @param string $name The name of the tag. * @param string $default The default value passed to the tag in the form: `[tag=default]`. * @param array $params All of the parameters passed to the tag. * @param string $content The content of the tag. Only available when {@link $action} is **BBCODE_OUTPUT**. * @return string Returns the image tag. */ public function doImage(BBCode $bbcode, $action, $name, $default, $params, $content) { // We can't validate this until we have its content. if ($action == BBCode::BBCODE_CHECK) { return true; } $content = trim($bbcode->unHTMLEncode(strip_tags($content))); if (empty($content) && $default) { $content = $default; } $urlParts = parse_url($content); if (is_array($urlParts)) { if (!empty($urlParts['path']) && empty($urlParts['scheme']) && !preg_match('`^\\.{0,2}/`', $urlParts['path']) && in_array(pathinfo($urlParts['path'], PATHINFO_EXTENSION), $this->imageExtensions)) { $localImgURL = $bbcode->getLocalImgURL(); return "<img src=\"" . htmlspecialchars((empty($localImgURL) ? '' : $localImgURL . '/') . ltrim($urlParts['path'], '/')) . '" alt="' . htmlspecialchars(basename($content)) . '" class="bbcode_img" />'; } elseif ($bbcode->isValidURL($content, false)) { // Remote URL, or at least we don't know where it is. return '<img src="' . htmlspecialchars($content) . '" alt="' . htmlspecialchars(basename($content)) . '" class="bbcode_img" />'; } } return htmlspecialchars($params['_tag']) . htmlspecialchars($content) . htmlspecialchars($params['_endtag']); }