Of course. Let's break down cfg_replacestr in DedeCMS (织梦内容管理系统).
This is a powerful but often misunderstood configuration setting used for security and content filtering.
What is cfg_replacestr?
cfg_replacestr is a configuration variable located in the dede/sys_config.php file. It's an array used to define a list of "bad words" or sensitive keywords that you want to automatically find and replace within user-submitted content.
Its primary purpose is to act as a simple, built-in content filter and security measure to prevent users from posting malicious scripts, spam, or other undesirable content.
How It Works
When DedeCMS processes content that a user submits (e.g., through a comment, a guestbook entry, or a form), it checks the content against the list of keywords defined in cfg_replacestr.
For each keyword it finds, it replaces it with the corresponding replacement string you've defined.
The Logic:
$cfg_replacestr is an associative array where:
- Key (
'keyword'): The word or phrase you want to find. - Value (
'replacement'): The string you want to replace the keyword with.
Example:
If you have this in your cfg_replacestr:
$cfg_replacestr = array(
'黑客' => 'H**K',
'病毒' => 'V**S',
'<script>' => '<script>'
);
And a user submits the comment: “小心黑客,他们可能传播病毒!<script>alert('xss')</script>”
DedeCMS will process it and change it to:
“小心H**K,他们可能传播V**S!<script>alert('xss')</script>”
Where is it Used? (The Hook)
The cfg_replacestr array is not applied everywhere automatically. It's specifically used by a core function called FilterSearch().
This function is typically called in the following scenarios:
- Comments (评论): When a user submits a comment on an article or a picture.
- Guestbook (留言簿): When a user signs the guestbook.
- Member/Member Model Content (会员/会员模型内容): When members submit content through their own publishing areas.
- Other User-Submitted Forms: Any custom form that is designed to use this filtering mechanism.
You can find the FilterSearch() function in /include/helpers/filter.helper.php.
Practical Examples
Let's look at some common use cases for cfg_replacestr.
Example 1: Filtering Profanity and Sensitive Words
This is the most common use case. You want to block bad words.
// In dede/sys_config.php
$cfg_replacestr = array(
'傻逼' => '***',
'脑残' => '文明用语',
'操' => '@#$%',
'TMD' => '文明用语'
);
Example 2: Preventing Cross-Site Scripting (XSS)
This is a critical security measure. You want to prevent users from injecting malicious JavaScript.
// In dede/sys_config.php
$cfg_replacestr = array(
'<script' => '<script',
'</script>' => '</script>',
'javascript:' => 'java script:',
'onload=' => 'on load='
);
Note: Simply replacing <script> with <script> is a good first step, but advanced XSS attacks can use other HTML tags and attributes. A more robust solution involves a dedicated security library, but this is a basic DedeCMS-level protection.
Example 3: Blocking Spam Keywords
Stop users from posting specific spam phrases.
// In dede/sys_config.php
$cfg_replacestr = array(
'QQ群' => '联系群',
'加微信' => '联系微信',
'淘宝店' => '我的店铺',
'Viagra' => 'V**A'
);
How to Modify cfg_replacestr
Warning: Always back up your files before making changes.
- Connect to your server via FTP or use the file manager in your hosting control panel.
- Navigate to the DedeCMS root directory.
- Open the file:
/dede/sys_config.php. - Find the
$cfg_replacestrarray. It might be empty, or it might already have some entries. - Add your own keywords and replacements in the
array(...)format. - Save the file.
- Clear the DedeCMS cache for the changes to take effect. You can usually do this in the system's "System" -> "Clear Cache" section of the backend.
Important Considerations and Limitations
- It's Not a Silver Bullet:
cfg_replacestris a basic filter. It can be bypassed by skilled attackers (e.g., using case variations like<SCRIPT>, or encoding). For a high-traffic or security-sensitive site, you should consider more advanced solutions. - Performance: Having an extremely long list of keywords can have a minor impact on performance, as every piece of user-submitted content must be scanned. For most sites, this is negligible.
- Case Sensitivity: The default string replacement is case-sensitive. The word "Hack" and "hack" would be treated as different words. To make it case-insensitive, you would need to modify the
FilterSearch()function itself, which is more advanced. - Word Boundaries: The filter looks for the exact string. If you block "hack", it will also block "hacker" because "hack" is contained within it. This is usually the desired behavior, but be aware of it.
Summary
| Feature | Description |
|---|---|
| What is it? | A security/content filter array in dede/sys_config.php. |
| Purpose | To automatically find and replace "bad words" in user-submitted content. |
| How it Works | It's an associative array: ['keyword' => 'replacement']. |
| Where it's Used | Primarily in comments, guestbooks, and member submissions via the FilterSearch() function. |
| Common Uses | Blocking profanity, preventing basic XSS attacks, and stopping spam. |
| How to Edit | Modify the array in /dede/sys_config.php and clear the cache. |
| Limitation | It's a basic filter and can be bypassed. Not a substitute for a comprehensive security strategy. |
