Bbcodes On Websites

[demonlord 0]

Hello,is there a way for me to allow bbcode to be used on my site, i'm not running a forum or a cms or anything like that it's just a plain website. if some one could help me that would be great.

[jlhaslip 4]

Where on your site? in a Comments field? or in a chat box? or when you add your own content?Regardless, you will need to use php (probably) to change the values from bbcode to html code so it displays properly. you might as well just use html code. They are quite similar. [ b ] == <b>, etc

[demonlord 0]

hi jlhaslip, thanks for the reply, i'm wanting to be able to use these in comment fields and in a guest book that i'm making

[jlhaslip 4]

well, search:bbcode parser and you just might hit one.

First Result looks promising: http://elouai.com/bbcode-sample.php

[demonlord 0]

thanks i found a couple of them i like

[galexcd 0]

Haslip. That first bbcode parser is terrible. It uses str_replace and is completely exploitable. Just see what happens when you try this bbcode in it:

[img]http://forums.xisto.com/no_longer_exists/&; onload="while(true){alert('this parser sucks');}[/img]

[jlhaslip 4]

The string parsing from bbcde to html is one thing, security is another and they should be separate functions in your code, depending on the 'threat', the level of security you desire, and the importance of the transaction .

I think we both agree that the security of data is important and the first rule of site security is to "Never Trust User Input".

 

Let me say that one more time: "Never Trust User Input".

 

The input should be 'sanitized' before the code is placed through the parser. And thanks Alex for reminding us of this important point. There are many methods that can be used to sanitize code.

 

For example, you could use the following snippet (or similar) to sanitize User Input before processing the code, and there are other methods to make user input more secure. This is only one example:

$allowedtags = "<strong><em><ul><li><pre><hr><blockquote><span>";$cstring = strip_tags($val, $allowedtags);$cstring = nl2br($cstring);

There are other functions you can arrange for the 'cleansing of data. This is merely an example of one method.

For Cross site scripting threats, there is a good one to be found at http://www.quickwired.com/ .

I think it would eliminate the threat you proposed as an example. Not tested.

[alex1985 0]

What is the way that I can put BBCode on my own site?

[galexcd 0]

The string parsing from bbcde to html is one thing, security is another and they should be separate functions in your code, depending on the 'threat', the level of security you desire, and the importance of the transaction . I think we both agree that the security of data is important and the first rule of site security is to "Never Trust User Input".

Yes, it is a good idea mostly to have them separate, but remember, in my example, you may not want to escape or delete all quote in a post, just ones within certain tags which would have to be done with preg_replace rather than str_replace, or if you were going to program your own bbcode parser that would pass over and recognize your bbcode and then would modify it on the second pass.

[demonlord 0]

so is the one that jlhaslip recomend safe to use, because that is the one i picked, and i dont want to use anything unsafe on my site. if it is not safe, which one would you recomend.

 

Oh and i dont know if it matters but the tags that i want to use are:

center

url

email

youtube

right

so if someone could help me out that would be great

 

Thanks

[galexcd 0]

function url($url,$text=""){$url=str_replace(array("<",">"),"",trim($url));if(preg_match("/javascript(\:|\s)/i", $img) || empty($url)) return'<font size=2><i>Error: "'.$url.'" is invalid.</i></font>';if($text=="")$text=$url;return '<a href='.$url.'>'.$text.'</a>';}function bbReplace($string){$string=preg_replace(array('/\[center\](.*?)\[\/center\]/is','/\[right\](.*?)\[\/right\]/is','/\[youtube\](.*?)\[\/youtube\]/is'),array('<center>$1</center>','<div style="align:right;">$1</div>','<object width="425" height="355"><param name="movie" value="http://forums.xisto.com/no_longer_exists/ name="wmode" value="transparent"></param><embed src="http://forums.xisto.com/no_longer_exists/&%2334; type="application/x-shockwave-flash" wmode="transparent" width="425" height="355"></embed></object>'),$string);$string=preg_replace(array('/\[url\=(.*?)\](.*?)\[\/url\]/ie','/\[email\](.*?)\[\/email\]/ie'),array("url('$1','$2')","url('mailto:'.'$1','$1')"),$string);return $string;}

So save this in a file or just add this snippet of code to the beginning of the file you want the bb-code parsing to happen.

This was written very quickly and haphazardly and was not tested so if you have any problems, just post them here.

[demonlord 0]

thank you i will give it a try and post back if i have any problems

when i tested this code i could not get it to work, why is this?

Edited March 10, 2008 by demonlord (see edit history)

[rvalkass 5]

when i tested this code i could not get it to work, why is this?

I assume you got an error message appear on the screen? It would be helpful if you could post the error messages, as that will lead us to the source of the error.

[alex1985 0]

Can I insert like the BB Code on my site, like the one on forums as well as on portals, just click the icons above the typing field, and it will do automatically?!

[demonlord 0]

no there was no error message it just gave me the tags that i put in the comment field when i submitted, it. i tryed using the center tag so in the comment fields i pu the following:

[center]this is a test to see if the bbcodes are working[/center]

and when it submitted the info, all i saw was what i put in the box center tags and all.