cbparser v1.2.2

cbparser, that lovable bbcode parser, has had a small security update.

I got mail about some more potential XSS attack variants (thanks j8!), and I've decided to (at last) kill all style tags from within the posted bbcode. cbparser has so many styles, there's simply no need for users to be rolling their own, and most web masters wouldn't want that anyway.

The upshot is, that as well as the current round-up of style-based XSS attacks, cbparser will be immune to all future style-based XSS attacks. It also means we can lose some code, as individual hacks won't need checking.

I've put together a complete updated package, with css, buttons, etc., and you can grab it from the beta section, here. If I don't get a bag of bugmail, I'll move it over to the regular section after an unspecified number of days, and it will become the regular release version. If you just want to look at the code, do that here.

As always, it's the very latest version running onsite, taking care of the comments, blogs and such, including this very blog entry, so feel free to test these things right here; try before you buy, so to speak, except of course, it's free. Have fun!

for now..

;o)
(or

posted @ Sat 29th March 3:34 pm
 ©  2024 « corz.org » 24.4.26  

Welcome to corz.org!

I'm always messing around with the back-end.. See a bug? Wait a minute and try again. Still see a bug? Mail Me!