[RFC] Javascript Preview

Note: We are moving the topics of this forum and it will be deleted at some point

Publish your own request for comments/change or patches for the next version of phpBB. Discuss the contributions and proposals of others. Upcoming releases are 3.2/Rhea and 3.3.
User avatar
naim
Registered User
Posts: 50
Joined: Thu Oct 13, 2011 7:21 pm
Location: Isolation
Contact:

Re: [RFC] Javascript Preview

Post by naim »

What is the problem with re-implementing the BBCode "engine" in JavaScript?
Security doesn't need to be taken into consideration since it is all on the client side.
User avatar
Pony99CA
Registered User
Posts: 986
Joined: Sun Feb 08, 2009 2:35 am
Location: Hollister, CA
Contact:

Re: [RFC] Javascript Preview

Post by Pony99CA »

naim wrote:What is the problem with re-implementing the BBCode "engine" in JavaScript?
For one, it's a lot of work. Also, unless you'd also be using the JavaScript parser for displaying posts outside of the preview, you'd have redundant code.
naim wrote:Security doesn't need to be taken into consideration since it is all on the client side.
Maybe you don't need to worry about SQL injection, but I think that you still have to worry about things like Cross-Site Scripting (XSS), right?

Steve
Silicon Valley Pocket PC (http://www.svpocketpc.com)
Creator of manage_bots and spoof_user (ask me)
Need hosting for a small forum with full cPanel & MySQL access? Contact me or PM me.
User avatar
naim
Registered User
Posts: 50
Joined: Thu Oct 13, 2011 7:21 pm
Location: Isolation
Contact:

Re: [RFC] Javascript Preview

Post by naim »

Pony99CA wrote:Maybe you don't need to worry about SQL injection, but I think that you still have to worry about things like Cross-Site Scripting (XSS), right?
Wrong. The data is already loaded into the page.
The script on the page won't execute any other script.
User avatar
JoshyPHP
Registered User
Posts: 376
Joined: Fri Jul 08, 2011 9:43 pm

Re: [RFC] Javascript Preview

Post by JoshyPHP »

If your JavaScript preview contains a <script> element it'll get executed when you display it. Same for <img onerror="..."/> and other XSS vectors. It's not terribly useful though, because you need to trick somebody into either manually entering the XSS vector in the message box, or somehow edit or quote a post containing the XSS vector, assuming the XSS vector doesn't get nullified when the original message goes through the PHP parser.
Pony99CA wrote:For one, it's a lot of work. Also, unless you'd also be using the JavaScript parser for displaying posts outside of the preview, you'd have redundant code.
Redundant it is. I've written such a parser a little while ago, you can see a live demo there. What I did is I saved every relevant PHP file as a JavaScript file and I edited it to replace the PHP syntax with JavaScript. I had to forsook part of the object-orientedness, which would have been much more complicated to translate and didn't have much of a use, but it was surprisingly straightforward and it only took me a few days to do most of the work. If you're curious, you can compare the general files here and the BBCode parser there.
Post Reply