What is the problem with re-implementing the BBCode "engine" in JavaScript?
Security doesn't need to be taken into consideration since it is all on the client side.
[RFC] Javascript Preview
- Pony99CA
- Registered User
- Posts: 986
- Joined: Sun Feb 08, 2009 2:35 am
- Location: Hollister, CA
- Contact:
Re: [RFC] Javascript Preview
For one, it's a lot of work. Also, unless you'd also be using the JavaScript parser for displaying posts outside of the preview, you'd have redundant code.naim wrote:What is the problem with re-implementing the BBCode "engine" in JavaScript?
Maybe you don't need to worry about SQL injection, but I think that you still have to worry about things like Cross-Site Scripting (XSS), right?naim wrote:Security doesn't need to be taken into consideration since it is all on the client side.
Steve
Silicon Valley Pocket PC (http://www.svpocketpc.com)
Creator of manage_bots and spoof_user (ask me)
Need hosting for a small forum with full cPanel & MySQL access? Contact me or PM me.
Creator of manage_bots and spoof_user (ask me)
Need hosting for a small forum with full cPanel & MySQL access? Contact me or PM me.
Re: [RFC] Javascript Preview
Wrong. The data is already loaded into the page.Pony99CA wrote:Maybe you don't need to worry about SQL injection, but I think that you still have to worry about things like Cross-Site Scripting (XSS), right?
The script on the page won't execute any other script.
Re: [RFC] Javascript Preview
If your JavaScript preview contains a
<script>
element it'll get executed when you display it. Same for <img onerror="..."/>
and other XSS vectors. It's not terribly useful though, because you need to trick somebody into either manually entering the XSS vector in the message box, or somehow edit or quote a post containing the XSS vector, assuming the XSS vector doesn't get nullified when the original message goes through the PHP parser.Redundant it is. I've written such a parser a little while ago, you can see a live demo there. What I did is I saved every relevant PHP file as a JavaScript file and I edited it to replace the PHP syntax with JavaScript. I had to forsook part of the object-orientedness, which would have been much more complicated to translate and didn't have much of a use, but it was surprisingly straightforward and it only took me a few days to do most of the work. If you're curious, you can compare the general files here and the BBCode parser there.Pony99CA wrote:For one, it's a lot of work. Also, unless you'd also be using the JavaScript parser for displaying posts outside of the preview, you'd have redundant code.