corz.org uses cookies to remember that you've seen this notice explaining that corz.org uses cookies, okay!
corzblog bbcode parser preview
Here it is! My [search engine fodder] bbcode to html parser, and html to bbcode parser [/search engine fodder]!
This is the actual very onsite parser that parses the bbcode of my blogs and site comments, which as well its usual tasks of, well, you know, the parsing stuff, also moonlights doing a cute wee background demo of itself, you're looking at it. it knew you wanted to do that. hit the "preview" button to see at least one half of the parser's bbcode to html/html to bbcode functionality.
The front-end (below) is built-in to the parser, you just call the
function and it creates the form. The cool, super-portable JavaScript bbcode buttons and functions come
in the package, too. Have fun. Oh, and by the way, output is 100% pure HTML5, or nice plain bbcode, which ever way you look at it, it's free.
Welcome to the comments facility!
2 adam:
the id right after the semicolon is the $bbcode_uid which is generated with make_bbcode_uid function in bbcode.php file. It makes every bbcode in the post unique.
The XHTML version is missing. Please re-upload it. Because this version acts really weird.
it'll replace
However all this looks perfect on this page, so i'm assuming you have got around it somehow in the xhtml version (which sadly isnt available). Please make it available for download.
[url] works fine in the old version, though you *must* use quotes, with both old AND new versions, if you want valid markup. Empty [url]whatever[/url] tags have never worked, this is also by design.
And yes, I'll put the xhtml version back up very soon, I had to pull it almost as soon as it went up after I discovered an unusual bug. But it's been working away at here at the org this last week without problems, so I'll likely get the latest version up again within the next 24 hours or so.
Thanks for caring!
;o)
(or
hmm I was just going through your parser, and I must say it is very very unsafe. There is simply no prevention against XSS (Cross Site Scripting). Almost every tag is exploitable...
Heres an example...
alert("XSS (Cross Site Scripting)");
the code used was
This is ofcourse just an example, but you can stretch your imagination, almost anything can be done, like stealing cookies, editing registry etc.
If you ask me the whole InfiniTags™ is a bad idea, atleast if put the way it is.
You really need to work on making the code secure.
XHTML or not I guess I'll resolve to my good ol' preg_matches :P
Don't take it the wrong way, I really do appreciate the work, but this is just an invitation to hackers/script kiddies.
here we go again!
Firstly, it's drop dead simple to prevent these things, maybe add the word "script" to the ban list, as previously suggested. I simply choose not to do that here, mainly because I enjoy watching people try these things. You should see some of the fun that gets uploaded in my php upload script! I have learned a lot from my potential hackers, and wish to keep doing so. And in over two years of running this parser all over the site, nothing has been lost.
I mean, just try and edit my registry! This simply isn't possible, though sure, other things are. And you aren't the first to mention this, even publicly, which is why I added xss-prevention to the xhtml cbparser, very simple to do.
If it makes you feel better, I'll even enable it by default in the release version!
But not right now, I am called elsewhere..
;o)
(or
I got home quite a bit later than expected, and I'm really too tired for code tonight (there's more to packaging than simply zipping, and really, it's penciled in for tomorrow - there's still a couple of things I want to tweak before it goes out, anyway, the weekend) but before I go to bed..
You've given me some food for thought, blah, which is always good; not so much in the security aspect (my dev version had its xss support beefed-up fairly recently - though after your comments I'll be testing it more thoroughly! as well as a few interesting <pre> tag encoding schemes I've been playing with) but rather in "what people think". Hmmm.
For example, I used to enjoy the spammers' odd visits. I'd delete their silly comments, have a wee laugh, add their strings and domains to the spammer list, yet still, not actually enable spammer protection here at the org. I don't like to miss stuff, you see.
But then it just got too bloody annoying, and I switched the spammer protection on myself, tada! goodbye spammers, mostly. It's a similar story with the xss prevention stuff. My own opinion is that this whole cross-site scripting thing has been blown out of proportion. Yes, it's important, for certain sites, perhaps crucial, but mainly it's kids, and some of the pranks are quite amusing, actually. The question is, do I enable this protection here?
I personally don't feel at risk, not because xss isn't possible here, it is. But corz.org is littered with pages that have comment facilities (some with thousands of comments), and not once has anyone tried anything remotely nefarious. I like to think in my own innocent way, "why would anyone want to do that to my site?". And I still see things that way. Messing with Microsoft or AOL or something I could understand, but me? That's insane!
But the problem is, if I don't enable it, then folk might get a bad impression of the parser itself (and there are many cool features in the new version, so I don't want to put people off what I - and thousands of downloaders - know is a valuable thing) but if I do enable it, I miss all the fun, and importantly, I'd never know if someone was attacking corz.org, because it would fail. The question is; which is more important to me?
I'm still not sure. But, thanks for the food, anyway!
nn
;o)
(or
"why would anyone want to do that to my site?"
That thought is killing the internet
Its not that its tough to combat XSS, its just that when you are making an open source script for people to use, you should make it a point to secure it and enable all security settings by default. Remember not everyone is fluent with php. Looking at the number of people using your parser for their phpbb and other forums, its a huge risk. Risk as in? stealing the cookies of other users and using them for logging in, if ip binding is not enabled.
I mean, just try and edit my registry! This simply isn't possible, though sure, other things are.
You might wanna have a look here
http://castlecops.com/t123194-.html
I understand its not a big deal here, but this isn't the only place where the script is used, is it?
You can continue with open exploits here but you should seriously think about releasing a new version which overcomes these exploits, to the public.
We probably couldn't disagree more. There are more important things afoot than our precious individual web sites. My innocence is real bliss, and I'm fairly keen to keep it that way. Even if I was *gasp* "attacked", I'd just deal with it, and still carry feeling that way. And believe me, nothing is killing the internet; the reality of things is completely, totally the opposite!
I'm aware of the issue (one of my online collaborators likes to keep me in the loop *sigh*) but that is an issue with a buggy web browser that only a fool would use, and I stand by what I said.. editing my registry with xss is not possible. But do feel free to try!
I've enabled the xss prevention in the online version (yes, I slept on it, and even added a couple of wee xss tests to the demo string, just for you! ) so seriously, DO feel free to try; I'd appreciate the testing.
And I DO appreciate you comments, blah, too. In truth, I don't give security a lot of thought, though of course my release stuff is pretty tight. The new version of cbparser is long overdue, I know, but there have been a few difficulties elsewhere in the code of things, the portable javascript features have been giving me headaches, amongst other code my simple mind finds tricky. Anyways..
announcing the all-new, xhtml-compliant cbparser!
I've bitten the bullet this morning and packaged up the whole shabang. Along with the parser itself, which now comes with its own built-in bbcode GUI (as seen at the top of this page), you get the cbguide (the neat info and buttons underneath) and its associated javascript file (highly cool inside!). There's also a sample CSS file (as generated by corzblog), and even a few cute images for your list items (as seen above).
The parser itself is a massive improvement over the old version. Producing 100% strict xhtml compliant code was the motivation, but I didn't stop there. There's more tags, support for a wide range of email bbcode, improved anti-spam capabilities, xss prevention - blah stole my thunder for THAT announcement! - och, loads of good stuff. Get it in a text editor! cbparser will even do automatic conversion of any legacy bbcode you might edit.
I'm really pleased with it, and this version - more or less - has been running away on my dev mirror for the last week or so (though, with xss-prevention disabled) without any troubles, so I'm fairly certain you won't encounter any difficulties installing or upgrading to the latest version. Of course, if you do, let me know!
for now..
;o)
(or
ps.. if I don't get any major bug reports back, the beta will become the main release version a week from today.
I'd really like to thank you for putting in all the effort. At the moment I'm going through the code tweaking it to my needs. I must say quite a few of those preg_matches can be replaced with str_replace, just another step towards making the fastest parser even faster ;)
Quite a few tags are yet eploitable, open this page in IE6.0...
code used
I'm just doing an
<?php
htmlentities($text, ENT_QUOTES, 'UTF-8')
?>
to the input string, along with replacing a couple of symbols with their decimal equivalents, as I dont allow any html tags, your mileage may vary.
Also in your script if the xssclean is called after the parsing this can easily be avoided...
Thanks!
I originally had
<?php
htmlentities($text, ENT_QUOTES, 'UTF-8')
?>
but sadly my development server can't handle multibyte stuff very well (though it should!), so I had to switch that off (the line has since been put back in but is commented out, with a note).
I don't want to run the xssclean after parsing because I use javascript in some of the tags, so it must work at the bbcode end of thing. And if you want something really nasty for IE try this.. I've added that to the xss clean-up, but your version will still be exploitable. try it just for fun.
I wasn't aware that you could throw javascript statements into image tags. Thats's fecking nuts! I presume this is IE only, is it? I guess I could add something for that.
replaced with str_replace, probably (in the xss-prevention code?). The thing with the regex engine is, once you've got it up and running, it's pretty much neck and neck with a regular str_replace. The secret is to avoid it altogether, if possible, which it isn't here.
Feel free to keep tweaking away, blah, that's what it's all about, and I'm sure new exploits will keep appearing all the time; annoying as it is, you can always drop them here, anyone. If you manage to replace any of the preg_replace statements with str_replace equivilents, mail me your changes!
I got the entities dropdown working properly yesterday, and put up a couple of updates as I went along. I've now tied the internal version number into the download link (which is generated), the idea being, as soon as a new version goes into place here, I'll need to up the same version for the download link to keep working. Of course, I may forget
I also updated the bbtags page to reflect the new version. Aside from more tags, there are a few other changes. I'll note some here, making notes for a proper devblog entry when this becomes the main cbparser release..
There's no more "strictly bbcode" option, in that it's bbcode or nothing. Angle brackets are encoded to html entities, so entering raw HTML tags is no longer an option. But of course, with InfiniTags™, you can enter any html as bbcode, so really, there's no need for it.
Likewise, the html >> bbcode conversion is always enabled. cbparser will attempt to translate any tags it doesn't recognise into bbcode InfiniTags™, just like it does with known bbcode markup.
Someone may have noticed that cbparser's built-in gui is also equipped with the most effective anti-CSRF attack measure available, though in truth, I didn't put that feature (trackable hidden token) in there for that, but for my own devious uses (tracking comment entries, in fact, ie.. edit your comment, or whatever). But there you are, an added bonus!
I'll do more notes later.
;o)
(or
ps.. fixing the image tag is just adding a "?" after the = of the javascript catcher. now it catches all sorts.
pps. try a newer version.