Bloggish questions
Results 1 to 3 of 3

Thread: Bloggish questions

  1. #1

    Bloggish questions

    Hey, I just created an update form for my site, so I can make a post and have it update on my front page. Right now I use blogger, but I wrote my own so I wouldn't have to depend on them anymore.

    A couple questions...

    Why do forums like this use bb code? Is there something I am missing out on, is it some kind of security measure to prevent malicous dhtml?

    The javascript that AO has for posting messages is cool, like create hyperlink and stuff... but all I need is 3 buttons, one for bolding text, italicizing, and hyperlinks. I was wondering what that sort of system is called? I googled for javascript text formatting but couldn't find anything good. I don't feel like sorting through all the AO javascript either, I am hoping there is something out there I can use for free and modify?

    Thanks!

  2. #2
    Senior Member
    Join Date
    Oct 2001
    Posts
    786
    Soda - BBcode is the easy way to protect a website against malicious HTML. Especially if the general public gets to post stuff. All < > and stuff is escaped out, and only stuff in [] is looked at for BBcode. Without it, I could try to craft a link that posts the user's session ID to my own server, or even code something that uses their AP status to neg the hell out of somebody. If you can't escape it because you are allowing HTML, there can be problems. There was huge concern a while back when the AP system was first made because it used to be possible to create a username that "broke" the AP system. If you go through our Addicts Forum you'll find mention of it somewhere. That was because not everything was escaped out somewhere. With BBcode, you can escape everything without breaking things like bolding text, etc.

    This JavaScript code to add the stuff is pretty easy to come by. Here is some I thought off the top of my head. I don't know if it will work perfectly, some tweaking may be needed.


    Code:
    <SCRIPT LANGUAGE="JAVASCRIPT">
    function addtag ( starting, closing, target )
    {
    target.value += starting + prompt("What would you like to " + starting + closing + "?") + closing;
    }
    </SCRIPT>
    
    <FORM NAME=bob>
    <TEXTAREA name=post></TEXTAREA>
    <INPUT TYPE="button" ONCLICK='javascript:addtag("<B>","</B>",bob.post)' VALUE="BOLD">
    <INPUT TYPE="button" ONCLICK='javascript:addtag("<A HREF=",">link</A>",bob.post)' VALUE="LINK">
    </FORM>
    Make sure "javascript" is not split into "java script" -- the forum does this for security reasons I think...

  3. #3
    Senior Member
    Join Date
    Aug 2001
    Posts
    251
    The other reason is that if you store formatting as HTML then you only get HTML out. With BBCode or someother formatting tag system, you can make a translater that outputs it as html, or pdf, or what ever else with little difficulty.

    The other thing is purely an HTML thing. Ever write an entire page of HTML and forget a closing tag. The results are usually quite unexpected depending on the browsers rendering engine. With BBCode if the BBCode to HTML coverter is written carefully it will ignore these mistakes and not convert them. So [quote] isn't a quote unless it's got its ending tag whereas a <DIV> would just be what it is.

    If you want to looks at a BBCode to HTML converter's REGEX (perl compatible at that), the PHP templating engine Smarty has a plugin called bbcode2html which I use because I haven't taken the time to make my own converter yet. If you are doing it in PHP I'd go for the preg_replace() methods just because of their speed...

    Ciao,
    Dhej
    The owl of Minerva spreads its wings only with the falling of dusk. -Hegel

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides