Development Discussion Board

[Nelsaidi]

http://htmlpurifier.org/ is I believe the most secure HTML parser yet, I'm not sure but I'm not in favour of HTML - As said its not guaranteed secure, as specification changes, new things may be introduced, or work arrounds with the current with exploits. Further more, its more what a user can do - would you want any user to replicate a page, fake it for example. some forums may want certain form elements on thier pages, however a smart user may put the html "Please login again to download file <username> <password> <submit>" - Provided it fits in with the rest of the page how many would fall for this - Many imo.

Removing any atrrbuitues wouldnt help, there are effects which can only eba chieved by setting a class for example, or spoiler BBCode, how will one replicate that with HTML? - They cant, they still need something to parse that code properly, fitting it in with a WYSIWYG editor wouldnt work - Lets say you were to call it '<spoiler>xyz</spoiler>' - The editor must be modified to deal with this - Yes this is a problem with BBCode but its more problamatic with HTML.

On a forum where you want hundreds of types of contents to be displayed how will this work? Such as Youtube videoes, you will have to go into the effort of hardcoding this somewhat

Look at vBulletin, they have a WYSIWYG editor and allow the posting of HTML, however BBCode is the superior, The latter is almost always disabled for security and because compared to BBCode it has not much of a use(see above)

EDIT
Rotsblok, if only it was that simple - Look at the code of HTMLPurifier, I believe it is well commented - this will let you know of the complexity.

EDIT2
BBCode also allows for more powerful features such as processing it in PHP (lets say you want a random number seed for whatever reasons) - This can be done without reinventing the wheel by making a BBCode parser if a powerful one already exists

[Rotsblok]

EDIT
Rotsblok, if only it was that simple - Look at the code of HTMLPurifier, I believe it is well commented - this will let you know of the complexity.

Everything looks complex for me..

No, I’m not trying to make an HTML parser or discussing the usefulness of such a parser with those rules, I’m specifically addressing the question of if a “Secure” HTML parser - Kellanved said that such a parser doesn’t exist, so I’m curious based on the rules I stated above how you would exploit such an HTML parser.

Ah oke .. was just finding out what you mean with attributes..

BTW just a thought... perhaps some additional easy to use parserfunctions.. something like the ability of predefined (through ACP or other) to format things more complex but more easier.
Like say i want to put a table in a post.. but adding things like [table][tr][td]bla[/td][td]etc...[/td][/tr][/table] is somewhat over typing.. maybe a thing that when you put in [table]bla|etc..[/table] it will make the table.. (although this can be done already me thinks..) but with more complex structures..
I know mediawiki has a thing called templates, that will put things in a certain defined layout when you put things in like {{position 1|position 2}} in a table or anything you want...
If you can do that you can then also make logical "scripts" like is position 1 is true then fill position 2 in at this place else ignore...

(hope i make some sense..)

[Highway of Life]

Wiki's markup for tables is something like this...

Code: Select all

{|
|-
! header name
! Another header
|-
| cell content first row
| another cell
|-
| cell content second row
| another cell
|-
|}

Less typing is always nice.
And with such markup, you could still have a BBCode parser along with another parser, perhaps one that would do stuff like this:

Code: Select all

*bold*
_italic_
h1. Header 1
h2. Header 2
h3. Header 3
bq. Block Quotes
Footnotes[1]
fn1. Footnotes are great to use as anchors
??cite your author?? (<cite></cite>)
Insert @some code@ (<code></code>)
remove -some text- from a sentence. (<del></del>)
insert +some text+ in a sentence. (<ins></ins>)
~subscript~
^superscript^
 * bullet lists
 # numeric lists
 #* nested lists

See if you recognize where that markup is from.

You can also take it a step further with classes...

Code: Select all

p(className). Paragraph with a CSS class name
p(#super-duper). Paragraph with a CSS id

Or alignments...

Code: Select all

p<. align left
p>. align right
p=. align center
p<>. justified
p(. Left indent 1em
p))). Right indent 3em
p((((. Left indent 4em

Tables are done like so...

Code: Select all

|_. Name |_. Species |_. Gender |
| Ranger | Horse | Male |
| Frosty | Cat | Male |
| Mindy | Horse | Female |
| Peaches | Dog | Female |

There's a lot more to it than that, but it’s a good small sample. What I like about using that kind of markup is that you could use it with the BBCode parser without conflict, it’s lighter than the (current) BBCode parser, and has a lot of functionality with very little markup to text. Compared to BBCode which is a lot of markup to text.

Textile Markup

[Highway of Life]

I think we're getting terribly offtopic, I’ll open a new RFC with markup options.

[bobtheman]

i was under the impression that wysiwyg editors like TinyMCE address's these very issues and the security built in is more than sufficient.

[Nelsaidi]

i was under the impression that wysiwyg editors like TinyMCE address's these very issues and the security built in is more than sufficient.

Errr, Javascript is client side - It is veryeasily modifiable, and what if the user doesnt have javascript enabled - the fallback is to use a standard text editor and they can insert anything.

All security checking etc must be done server side.

Addressing issues such as markup, well, see the topic HOL has/will create.

[4seven]

Hi there,

i [dev] now over 1 year a kind of private phpbb-wysiwyg and i think, i'am a genius in some things.
But, nevermind/anyway: Here are the main points, and here* i stucked over,
but it's not impossible: i know that 4 shure.

• Minimum: Support of Main BBCodes
• *Auto-Integration of any Custom BBCode
• Perfect Working in all possibilitys
• Near Sec-Safe Architecture
• Using much as possible of phpBB Core-Code to parse
  and pre-filtering the display of problem-content (as in Live Preview)
• Lightweight and clean (uncompressed) Code
• Switchable by User to "old mode"
• Min. Load Time

[ToonArmy]

Hi there,

i [dev] now over 1 year a kind of private phpbb-wysiwyg and i think, i'am a genius in some things.
But, nevermind/anyway: Here are the main points, and here* i stucked over,
but it's not impossible: i know that 4 shure.

• Minimum: Support of Main BBCodes
• *Auto-Integration of any Custom BBCode
• Perfect Working in all possibilitys
• Near Sec-Safe Architecture
• Using much as possible of phpBB Core-Code to parse
  and pre-filtering the display of problem-content (as in Live Preview)
• Lightweight and clean (uncompressed) Code
• Switchable by User to "old mode"
• Min. Load Time

Got any code we can see?

[4seven]

i wait for make it public(!) viewable till syntax of 3.1 is clear.

[Erik Frèrejean]

Which syntax to you refer to?