demonlord 0 Report post Posted March 6, 2008 Hello,is there a way for me to allow bbcode to be used on my site, i'm not running a forum or a cms or anything like that it's just a plain website. if some one could help me that would be great. Share this post Link to post Share on other sites
jlhaslip 4 Report post Posted March 6, 2008 Where on your site? in a Comments field? or in a chat box? or when you add your own content?Regardless, you will need to use php (probably) to change the values from bbcode to html code so it displays properly. you might as well just use html code. They are quite similar. [ b ] == <b>, etc Share this post Link to post Share on other sites
demonlord 0 Report post Posted March 8, 2008 hi jlhaslip, thanks for the reply, i'm wanting to be able to use these in comment fields and in a guest book that i'm making Share this post Link to post Share on other sites
jlhaslip 4 Report post Posted March 8, 2008 well, search:bbcode parser and you just might hit one.First Result looks promising: http://elouai.com/bbcode-sample.php Share this post Link to post Share on other sites
demonlord 0 Report post Posted March 8, 2008 thanks i found a couple of them i like Share this post Link to post Share on other sites
galexcd 0 Report post Posted March 8, 2008 Haslip. That first bbcode parser is terrible. It uses str_replace and is completely exploitable. Just see what happens when you try this bbcode in it: [img]http://forums.xisto.com/no_longer_exists/&; onload="while(true){alert('this parser sucks');}[/img] Share this post Link to post Share on other sites
jlhaslip 4 Report post Posted March 8, 2008 The string parsing from bbcde to html is one thing, security is another and they should be separate functions in your code, depending on the 'threat', the level of security you desire, and the importance of the transaction . I think we both agree that the security of data is important and the first rule of site security is to "Never Trust User Input". Â Let me say that one more time: "Never Trust User Input". Â The input should be 'sanitized' before the code is placed through the parser. And thanks Alex for reminding us of this important point. There are many methods that can be used to sanitize code. Â For example, you could use the following snippet (or similar) to sanitize User Input before processing the code, and there are other methods to make user input more secure. This is only one example: $allowedtags = "<strong><em><ul><li><pre><hr><blockquote><span>";$cstring = strip_tags($val, $allowedtags);$cstring = nl2br($cstring);There are other functions you can arrange for the 'cleansing of data. This is merely an example of one method. For Cross site scripting threats, there is a good one to be found at http://www.quickwired.com/ . I think it would eliminate the threat you proposed as an example. Not tested. Share this post Link to post Share on other sites
alex1985 0 Report post Posted March 8, 2008 What is the way that I can put BBCode on my own site? Share this post Link to post Share on other sites
galexcd 0 Report post Posted March 8, 2008 The string parsing from bbcde to html is one thing, security is another and they should be separate functions in your code, depending on the 'threat', the level of security you desire, and the importance of the transaction . I think we both agree that the security of data is important and the first rule of site security is to "Never Trust User Input". Yes, it is a good idea mostly to have them separate, but remember, in my example, you may not want to escape or delete all quote in a post, just ones within certain tags which would have to be done with preg_replace rather than str_replace, or if you were going to program your own bbcode parser that would pass over and recognize your bbcode and then would modify it on the second pass. Share this post Link to post Share on other sites
demonlord 0 Report post Posted March 10, 2008 so is the one that jlhaslip recomend safe to use, because that is the one i picked, and i dont want to use anything unsafe on my site. if it is not safe, which one would you recomend.  Oh and i dont know if it matters but the tags that i want to use are: centerurlemailyoutuberightso if someone could help me out that would be great Thanks Share this post Link to post Share on other sites
galexcd 0 Report post Posted March 10, 2008 function url($url,$text=""){$url=str_replace(array("<",">"),"",trim($url));if(preg_match("/javascript(\:|\s)/i", $img) || empty($url)) return'<font size=2><i>Error: "'.$url.'" is invalid.</i></font>';if($text=="")$text=$url;return '<a href='.$url.'>'.$text.'</a>';}function bbReplace($string){$string=preg_replace(array('/\[center\](.*?)\[\/center\]/is','/\[right\](.*?)\[\/right\]/is','/\[youtube\](.*?)\[\/youtube\]/is'),array('<center>$1</center>','<div style="align:right;">$1</div>','<object width="425" height="355"><param name="movie" value="http://forums.xisto.com/no_longer_exists/ name="wmode" value="transparent"></param><embed src="http://forums.xisto.com/no_longer_exists/&%2334; type="application/x-shockwave-flash" wmode="transparent" width="425" height="355"></embed></object>'),$string);$string=preg_replace(array('/\[url\=(.*?)\](.*?)\[\/url\]/ie','/\[email\](.*?)\[\/email\]/ie'),array("url('$1','$2')","url('mailto:'.'$1','$1')"),$string);return $string;} So save this in a file or just add this snippet of code to the beginning of the file you want the bb-code parsing to happen.This was written very quickly and haphazardly and was not tested so if you have any problems, just post them here. Share this post Link to post Share on other sites
demonlord 0 Report post Posted March 10, 2008 (edited) thank you i will give it a try and post back if i have any problems when i tested this code i could not get it to work, why is this? Edited March 10, 2008 by demonlord (see edit history) Share this post Link to post Share on other sites
rvalkass 5 Report post Posted March 10, 2008 when i tested this code i could not get it to work, why is this?I assume you got an error message appear on the screen? It would be helpful if you could post the error messages, as that will lead us to the source of the error. Share this post Link to post Share on other sites
alex1985 0 Report post Posted March 10, 2008 Can I insert like the BB Code on my site, like the one on forums as well as on portals, just click the icons above the typing field, and it will do automatically?! Share this post Link to post Share on other sites
demonlord 0 Report post Posted March 10, 2008 no there was no error message it just gave me the tags that i put in the comment field when i submitted, it. i tryed using the center tag so in the comment fields i pu the following: [center]this is a test to see if the bbcodes are working[/center]and when it submitted the info, all i saw was what i put in the box center tags and all. Share this post Link to post Share on other sites