Custom BBCodes [Deprecated]

Get help developing custom BBCodes or request one.
User avatar
AmigoJack
Registered User
Posts: 5680
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: Custom BBCodes

Post by AmigoJack »

The current usage of [ u ] and most of the examples for [ s ] or [ strike ] are using deprecated HTML-tags. Believe it or not, but for anything you ever wanted to underline or strike-trough HTML already has the Tags <ins> and <del>. So the best practice for BBcodes should be:

BBcode "underline":

Code: Select all

[u]{TEXT}[/u] 
HTML replacement:

Code: Select all

<ins>{TEXT}</ins> 
BBcode "strike-through":

Code: Select all

[s]{TEXT}[/s] 
HTML replacement:

Code: Select all

<del>{TEXT}</del> 
There is even no need to apply CSStyles to it - all major browsers today seem to automatically show underlines and strike-troughs (tested on FFOX3, OPER10, MSIE7).
The worst thing about censorship is ███████████
Affin wrote:
Tue Nov 20, 2018 9:51 am
The problem is probably not my English but you do not want to understand correctly.
...
We will not come anybody anyway, nevertheless, it's best to shit this.

updown
Registered User
Posts: 542
Joined: Sat Jan 05, 2008 6:53 am

Re: Custom BBCodes

Post by updown »

updown wrote:I have the same problem whenever I need to pass a specific attribute into an URL, where full TEXT support is necessary. Example:

Code: Select all

<a href="http://myurlxxxx.com/index.php?q={TEXT}">...</a>
FIRST:
I need all chars available, including UTF8 and special chars for a correct URL. Is there an other solution instead of "{TEXT}"?

SECOND:
Is there a documentation or an example anywhere that helps judging the risk of an XSS-vulnerability within these kind of tags in phpBB? Since special-chars like ' < ' or '"' are beeing html-encoded, I've no clue where exactly the problem is. (I found nothing concrete about this by searching intensively).

Thanks in advance for helpful answers!
anyone? :roll:

User avatar
AmigoJack
Registered User
Posts: 5680
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: Custom BBCodes

Post by AmigoJack »

  1. In ACP > Posting > Message > BBCodes the available tokens are even explained:
    {INTTEXT} Unicode letter characters, numbers, spaces, commas, dots, minus, plus, hyphen, underscore and whitespaces.
  2. Which problem? This has always been one of BBCode's intentions: to avoid HTML and sanitize any formatting input. This way nobody can e.g. use style-tags to include foreign documents. Do you have any example that might point to an issue which makes BBCode unsafe?
    I've no clue where exactly the problem is
The worst thing about censorship is ███████████
Affin wrote:
Tue Nov 20, 2018 9:51 am
The problem is probably not my English but you do not want to understand correctly.
...
We will not come anybody anyway, nevertheless, it's best to shit this.

User avatar
ric323
Former Team Member
Posts: 22909
Joined: Tue Feb 06, 2007 12:33 am
Location: Melbourne, Australia
Name: Ric
Contact:

Re: Custom BBCodes

Post by ric323 »

AmigoJack wrote:...
[*]Which problem? This has always been one of BBCode's intentions: to avoid HTML and sanitize any formatting input. This way nobody can e.g. use style-tags to include foreign documents. Do you have any example that might point to an issue which makes BBCode unsafe? ...
I think he is referring to using a {TEXT} token inside an HTML tag, which most definitely is NOT safe.
The Knowledge Base contains solutions to many common problems!
How to fix "Doesn't have a default value" and "Incorrect string value: xxx for column 'post_text' " errors.
How to do a clean re-install of the latest phpBB3 version.
Problems with permissions? Read phpBB3 Permissions

kevb8ll
Registered User
Posts: 196
Joined: Mon Jan 30, 2006 10:08 am

Re: Custom BBCodes

Post by kevb8ll »

How can I embed the following using BBcode?:

http://v.sports.163.com/video/2010/7/D/7/V6AVOICD7.html

It's a flash embedded file in a HTML page.

I already have a BBcode default set up for youtube - but can't get this to work.

Kev

User avatar
ric323
Former Team Member
Posts: 22909
Joined: Tue Feb 06, 2007 12:33 am
Location: Melbourne, Australia
Name: Ric
Contact:

Re: Custom BBCodes

Post by ric323 »

Something like this? :)

Code: Select all

[flash=492,397]http://img1.cache.netease.com/flvplayer081128/~true~0005_V6AVOICD7~vimg1.ws.126.net/image/snapshot/2010/7/D/8/V6AVOICD8~.swf[/flash]

The Knowledge Base contains solutions to many common problems!
How to fix "Doesn't have a default value" and "Incorrect string value: xxx for column 'post_text' " errors.
How to do a clean re-install of the latest phpBB3 version.
Problems with permissions? Read phpBB3 Permissions

kevb8ll
Registered User
Posts: 196
Joined: Mon Jan 30, 2006 10:08 am

Re: Custom BBCodes

Post by kevb8ll »

Cheers mate.

What does the 492/397 denote, the size of the player window? If so all I need to change is any url after that?

How did you extract the direct link?

User avatar
ric323
Former Team Member
Posts: 22909
Joined: Tue Feb 06, 2007 12:33 am
Location: Melbourne, Australia
Name: Ric
Contact:

Re: Custom BBCodes

Post by ric323 »

kevb8ll wrote:What does the 492/397 denote, the size of the player window?
Yes.
If so all I need to change is any url after that?

How did you extract the direct link?
By viewing the page source for the page you linked to (and looking for a reference to a ".swf" file).
In particular:

Code: Select all

 <object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" id="CoreVPlayer" width="492" height="397" codebase="http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab">
            <param name="movie" value="http://img1.cache.netease.com/flvplayer081128/~true~0005_V6AVOICD7~vimg1.ws.126.net/image/snapshot/2010/7/D/8/V6AVOICD8~.swf" />
            <param name="quality" value="high" />
            <param name="bgcolor" value="#ffffff" />
            <param name="allowfullscreen" value="true" />
            <param name="allowScriptAccess" value="always" />
            <embed src="http://img1.cache.netease.com/flvplayer081128/~true~0005_V6AVOICD7~vimg1.ws.126.net/image/snapshot/2010/7/D/8/V6AVOICD8~.swf" quality="high" bgcolor="#ffffff" width="492" height="397" name="CoreVPlayer" play="true"    loop="false"quality="high" allowScriptAccess="always" allowfullscreen="true" type="application/x-shockwave-flash" pluginspage="http://www.adobe.com/go/getflashplayer"></embed>
            </object> 
From that:
<param name="movie" value="http://img1.cache.netease.com/flvplayer ... OICD8~.swf" />
width="492" height="397"
The Knowledge Base contains solutions to many common problems!
How to fix "Doesn't have a default value" and "Incorrect string value: xxx for column 'post_text' " errors.
How to do a clean re-install of the latest phpBB3 version.
Problems with permissions? Read phpBB3 Permissions

kevb8ll
Registered User
Posts: 196
Joined: Mon Jan 30, 2006 10:08 am

Re: Custom BBCodes

Post by kevb8ll »

Thank you for that - I appreciate your help.

Kev

updown
Registered User
Posts: 542
Joined: Sat Jan 05, 2008 6:53 am

Re: Custom BBCodes

Post by updown »

AmigoJack wrote:In ACP > Posting > Message > BBCodes the available tokens are even explained:
{INTTEXT} Unicode letter characters, numbers, spaces, commas, dots, minus, plus, hyphen, underscore and whitespaces.
INTTEXT doesn't allow " or other specialchars like < or >, but in some Urls you definately have to pass them with the variable, otherwise the URL doesn't work as expected!
ric323 wrote:I think he is referring to using a {TEXT} token inside an HTML tag, which most definitely is NOT safe.
Exactly, but WHY? WHERE is the issue? HOW could that be compromised and HOW BIG is the risk by ignoring this warning? Any documentation or hint for further examinations?

User avatar
Noxwizard
Support Team Leader
Support Team Leader
Posts: 10359
Joined: Mon Jun 27, 2005 8:41 pm
Location: Texas, USA
Name: Patrick Webster
Contact:

Re: Custom BBCodes

Post by Noxwizard »

Because you can break out of any tag that uses {TEXT} and create an XSS vulnerability.
[Support Template] - [Read Before Posting] - [phpBB Knowledge Base]
Do not contact me for private support, please share the question in our forums.

User avatar
WickedSmile
Registered User
Posts: 2
Joined: Thu Jul 22, 2010 4:14 am
Contact:

Re: Custom BBCodes

Post by WickedSmile »

Is it possible to get a BBcode for G4 videos? Comic Con has started and I'd like to post videos of the footage on my site.


http://g4tv.com/videos/40241/A-Visit-Fr ... rue-Blood/

Embed code

Code: Select all

<object classId="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" width="480" height="418" id="VideoPlayerLg40241"><param name="movie" value="http://g4tv.com/lv3/40241" /><param name="allowScriptAccess" value="always" /><param name="allowFullScreen" value="true" /><embed src="http://g4tv.com/lv3/40241" type="application/x-shockwave-flash" name="VideoPlayer" width="480" height="382" allowScriptAccess="always" allowFullScreen="true" /></object><div style="margin:0;text-align:center;width:480px;font-family:Arial,sans-serif;font-size:12px;color:#FF9B00;"><a href="http://g4tv.com/" style="color:#FF9B00;" target="_blank">Video Games</a> - <a href="http://g4tv.com/e32011" style="color:#FF9B00;" target="_blank">E3 2011</a> - <a href="http://g4tv.com/attackoftheshow/comiccon09/index.html" style="color:#FF9B00;" target="_blank">Comic-Con '09 Live</a></div>
Image

User avatar
leviatan21
Registered User
Posts: 2663
Joined: Fri Aug 10, 2007 7:22 am
Location: Buenos Aires, Argentina
Name: Gabriel

Re: Custom BBCodes

Post by leviatan21 »

WickedSmile wrote:Is it possible to get a BBcode for G4 videos? Comic Con has started and I'd like to post videos of the footage on my site.
Try this :
BBCode usage

Code: Select all

[g4tv]http://g4tv.com/videos/{NUMBER}/{TEXT}[/g4tv]
HTML replacement

Code: Select all

<object classId="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" width="480" height="418" id="VideoPlayerLg{NUMBER}"><param name="movie" value="http://g4tv.com/lv3/{NUMBER}" /><param name="allowScriptAccess" value="always" /><param name="allowFullScreen" value="true" /><embed src="http://g4tv.com/lv3/{NUMBER}" type="application/x-shockwave-flash" name="VideoPlayer" width="480" height="382" allowScriptAccess="always" allowFullScreen="true" /></object>
Excuse me for my poor English, I speak Spanish. | Image phpBB en Español

User avatar
ric323
Former Team Member
Posts: 22909
Joined: Tue Feb 06, 2007 12:33 am
Location: Melbourne, Australia
Name: Ric
Contact:

Re: Custom BBCodes

Post by ric323 »

or just this ;)

Code: Select all

[flash=480,418]http://g4tv.com/lv3/40241[/flash]
The Knowledge Base contains solutions to many common problems!
How to fix "Doesn't have a default value" and "Incorrect string value: xxx for column 'post_text' " errors.
How to do a clean re-install of the latest phpBB3 version.
Problems with permissions? Read phpBB3 Permissions

User avatar
WickedSmile
Registered User
Posts: 2
Joined: Thu Jul 22, 2010 4:14 am
Contact:

Re: Custom BBCodes

Post by WickedSmile »

Thank you!
Image

Locked

Return to “Custom BBCode Development and Requests”