Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 5 of 5
  1. #1
    Senior Coder doubledee's Avatar
    Join Date
    Mar 2011
    Location
    Arizona
    Posts
    1,064
    Thanks
    25
    Thanked 0 Times in 0 Posts

    Questions about BBCode

    My website allows members to post Comments beneath my Articles, and the goal is to facilitate discussions on topics very similar to on CodingForums!

    Currently I only allow simple text posts and I use htmlentities to strip out HTML.

    Moving forward, I would like to allow more formatting and control like on Coding Forums, and so I have some questions...


    Questions:
    1.) How important is it to users to be able to format messages, include links, and smileys?


    2.) How much of a security risk do you create by allowing people to format posts and even include hyperlinks?


    3.) How hard would it be to write my own BBCode?

    Sincerely,


    Debbie

  • #2
    The fat guy next door VIPStephan's Avatar
    Join Date
    Jan 2006
    Location
    Halle (Saale), Germany
    Posts
    8,629
    Thanks
    6
    Thanked 1,002 Times in 975 Posts
    I can only kind of answer the first two questions since I’m more of a client-side developer. But those questions don’t even have one specific answer, it can only be “it depends”.

    It depends on the audience and subject of your website as to how important the option to format posts is. But I suppose it’s never wrong to provide at least some basic formatting to express emphasis (i. e. bold and italic text) or the like. If you have a “serious” website I guess smileys aren’t very important or even appropriate; if your site is more casual it won’t hurt to have those but I don’t think it’s overly important. That’s just a gimmick after all.

    As to the security risks: There are no risks if you just allow basic formatting as mentioned above. Links aren’t insecure per se because they would only link to third-party sites but of course they allow bad people to post links to spam sites and/or post links just to increase their SEO ranking. For this you can add a rel="nofollow" to all external links (as used to be the case with the old version of CF) and also communicate this to the visitors so if they are human they know that the effort is (almost) useless.

    The only real security risk would be if you allowed JavaScripts, iframes, objects, or forms to be inserted but I suppose that’s why BB code was invented in the first place, to remove any possibility to post real HTML and replace it with your custom markup language so you have full control over what can be posted.

  • #3
    Regular Coder
    Join Date
    Sep 2011
    Posts
    408
    Thanks
    18
    Thanked 26 Times in 26 Posts
    One thing I can think of is an IP grabber with images. If you allow for images to be displayed, then someone could easily link an image on their own domain and on their server side, have their PHP log the IP requesting the image and still print it out. Nobody knows it happened and it's pretty much impossible to detect if set up correctly.

    Now I'm not saying someone is going to be linking IP grabbing images to your site, especially since if there's a lot of visitors it will only hide their IP addresses (it's easy to find a needle in a small haystack, but not a big haystack). That's just one common way I've heard of things done. Also, if you allow HTML code, strip out any css styling because they could completely change the look of the page if they wanted to (hide elements, show their own, etc.).

    Not sure what else there is really, like VIPStephan said, it all depends.
    If I've helped you out, show your appreciation by clicking the "Thanks" link as well as a link below!

    AdFly
    Facebook | Twitter
    Google | YouTube

  • #4
    Senior Coder doubledee's Avatar
    Join Date
    Mar 2011
    Location
    Arizona
    Posts
    1,064
    Thanks
    25
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by Dubz View Post
    One thing I can think of is an IP grabber with images. If you allow for images to be displayed, then someone could easily link an image on their own domain and on their server side, have their PHP log the IP requesting the image and still print it out. Nobody knows it happened and it's pretty much impossible to detect if set up correctly.

    Now I'm not saying someone is going to be linking IP grabbing images to your site, especially since if there's a lot of visitors it will only hide their IP addresses (it's easy to find a needle in a small haystack, but not a big haystack). That's just one common way I've heard of things done. Also, if you allow HTML code, strip out any css styling because they could completely change the look of the page if they wanted to (hide elements, show their own, etc.).

    Not sure what else there is really, like VIPStephan said, it all depends.
    You really only answered Question #2.

    Any thoughts on Question #1 and Question #3 in my OP?


    Debbie

  • #5
    Regular Coder
    Join Date
    Sep 2011
    Posts
    408
    Thanks
    18
    Thanked 26 Times in 26 Posts
    Quote Originally Posted by doubledee View Post
    You really only answered Question #2.

    Any thoughts on Question #1 and Question #3 in my OP?


    Debbie
    Sorry about that, wasn't really paying attention.

    1. This mostly depends on the site and what it's for. For instance, CodingForums is important to have the CODE, ICODE, and PHP tags simply due to the fact that its for programming and syntax highlighting is a big help in assisting others. The main tags I'd consider would be for the following styling:
    • Color
    • Bold, Italicized, and underlining; Perhaps strike-through, subscript, and superscript
    • URL hot-linking
    • Image embedding
    • Different font sizes
    • Highlight


    These are just a few things that would be helpful and can all be accomplished in a different way.

    3. As for making them, I've never done it before but I have played with SimpleMachine's BBC settings to create a few custom tags just to try it out. My bet would be that preg_replace() would be the best function to use. You could start with creating basic mods, such as bold. For example:

    PHP Code:
    $patterns = array();
    $replacements = array();
    $text '[u]This[/u] is a [b]user\'s[/b] [i]input[/i].';

    #### Start patterns and replacements ####
    #[b] [/b]
    $patterns[] = '/\[b\]([\w\W]*)\[\/b\]/';
    $replacements[] = '<b>$1</b>';
    #[i] [/i]
    $patterns[] = '/\[i\]([\w\W]*)\[\/i\]/';
    $replacements[] = '<i>$1</i>';
    #[u] [/u]
    $patterns[] = '/\[u\]([\w\W]*)\[\/u\]/';
    $replacements[] = '<u>$1</u>';


    $new_text preg_replace($patterns$replacements$text);
    echo 
    $new_text//Should print '<u>This</u> is a <b>user\'s</b> <i>input</i>.' 
    That's just a small demonstration, you can add more to the list and the more you do the more complicated it could be. I'm sure you could find a small set of premade BBC online. If you want it to match your site's template more you can simply just replace it with extra html code and such around it.

    Now of course there is a way to combine bold, italics, and underline into one regex, but then you wouldn't be able to turn only one on and off without either making a long switch of cases or modifying the code to include it or not so keeping it separate won't be that bad either. You could also just to a str_replace() of the data, but then you run into an issue if a user doesn't include both parts (unclosed tags, etc.)
    Last edited by Dubz; 05-25-2014 at 07:43 AM.
    If I've helped you out, show your appreciation by clicking the "Thanks" link as well as a link below!

    AdFly
    Facebook | Twitter
    Google | YouTube


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •