Page 187 of 267

Re: Custom BBCodes

Posted: Tue Jul 20, 2010 11:53 am
by AmigoJack
The current usage of [ u ] and most of the examples for [ s ] or [ strike ] are using deprecated HTML-tags. Believe it or not, but for anything you ever wanted to underline or strike-trough HTML already has the Tags <ins> and <del>. So the best practice for BBcodes should be:

BBcode "underline":

Code: Select all

[u]{TEXT}[/u] 
HTML replacement:

Code: Select all

<ins>{TEXT}</ins> 
BBcode "strike-through":

Code: Select all

[s]{TEXT}[/s] 
HTML replacement:

Code: Select all

<del>{TEXT}</del> 
There is even no need to apply CSStyles to it - all major browsers today seem to automatically show underlines and strike-troughs (tested on FFOX3, OPER10, MSIE7).

Re: Custom BBCodes

Posted: Tue Jul 20, 2010 5:38 pm
by updown
updown wrote:I have the same problem whenever I need to pass a specific attribute into an URL, where full TEXT support is necessary. Example:

Code: Select all

<a href="http://myurlxxxx.com/index.php?q={TEXT}">...</a>
FIRST:
I need all chars available, including UTF8 and special chars for a correct URL. Is there an other solution instead of "{TEXT}"?

SECOND:
Is there a documentation or an example anywhere that helps judging the risk of an XSS-vulnerability within these kind of tags in phpBB? Since special-chars like ' < ' or '"' are beeing html-encoded, I've no clue where exactly the problem is. (I found nothing concrete about this by searching intensively).

Thanks in advance for helpful answers!
anyone? :roll:

Re: Custom BBCodes

Posted: Wed Jul 21, 2010 6:51 am
by AmigoJack
  1. In ACP > Posting > Message > BBCodes the available tokens are even explained:
    {INTTEXT} Unicode letter characters, numbers, spaces, commas, dots, minus, plus, hyphen, underscore and whitespaces.
  2. Which problem? This has always been one of BBCode's intentions: to avoid HTML and sanitize any formatting input. This way nobody can e.g. use style-tags to include foreign documents. Do you have any example that might point to an issue which makes BBCode unsafe?
    I've no clue where exactly the problem is

Re: Custom BBCodes

Posted: Wed Jul 21, 2010 7:08 am
by ric323
AmigoJack wrote:...
[*]Which problem? This has always been one of BBCode's intentions: to avoid HTML and sanitize any formatting input. This way nobody can e.g. use style-tags to include foreign documents. Do you have any example that might point to an issue which makes BBCode unsafe? ...
I think he is referring to using a {TEXT} token inside an HTML tag, which most definitely is NOT safe.

Re: Custom BBCodes

Posted: Wed Jul 21, 2010 10:33 am
by kevb8ll
How can I embed the following using BBcode?:

http://v.sports.163.com/video/2010/7/D/7/V6AVOICD7.html

It's a flash embedded file in a HTML page.

I already have a BBcode default set up for youtube - but can't get this to work.

Kev

Re: Custom BBCodes

Posted: Wed Jul 21, 2010 10:51 am
by ric323
Something like this? :)

Code: Select all

[flash=492,397]http://img1.cache.netease.com/flvplayer081128/~true~0005_V6AVOICD7~vimg1.ws.126.net/image/snapshot/2010/7/D/8/V6AVOICD8~.swf[/flash]


Re: Custom BBCodes

Posted: Wed Jul 21, 2010 11:00 am
by kevb8ll
Cheers mate.

What does the 492/397 denote, the size of the player window? If so all I need to change is any url after that?

How did you extract the direct link?

Re: Custom BBCodes

Posted: Wed Jul 21, 2010 11:19 am
by ric323
kevb8ll wrote:What does the 492/397 denote, the size of the player window?
Yes.
If so all I need to change is any url after that?

How did you extract the direct link?
By viewing the page source for the page you linked to (and looking for a reference to a ".swf" file).
In particular:

Code: Select all

 <object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" id="CoreVPlayer" width="492" height="397" codebase="http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab">
            <param name="movie" value="http://img1.cache.netease.com/flvplayer081128/~true~0005_V6AVOICD7~vimg1.ws.126.net/image/snapshot/2010/7/D/8/V6AVOICD8~.swf" />
            <param name="quality" value="high" />
            <param name="bgcolor" value="#ffffff" />
            <param name="allowfullscreen" value="true" />
            <param name="allowScriptAccess" value="always" />
            <embed src="http://img1.cache.netease.com/flvplayer081128/~true~0005_V6AVOICD7~vimg1.ws.126.net/image/snapshot/2010/7/D/8/V6AVOICD8~.swf" quality="high" bgcolor="#ffffff" width="492" height="397" name="CoreVPlayer" play="true"    loop="false"quality="high" allowScriptAccess="always" allowfullscreen="true" type="application/x-shockwave-flash" pluginspage="http://www.adobe.com/go/getflashplayer"></embed>
            </object> 
From that:
<param name="movie" value="http://img1.cache.netease.com/flvplayer ... OICD8~.swf" />
width="492" height="397"

Re: Custom BBCodes

Posted: Wed Jul 21, 2010 3:15 pm
by kevb8ll
Thank you for that - I appreciate your help.

Kev

Re: Custom BBCodes

Posted: Wed Jul 21, 2010 6:46 pm
by updown
AmigoJack wrote:In ACP > Posting > Message > BBCodes the available tokens are even explained:
{INTTEXT} Unicode letter characters, numbers, spaces, commas, dots, minus, plus, hyphen, underscore and whitespaces.
INTTEXT doesn't allow " or other specialchars like < or >, but in some Urls you definately have to pass them with the variable, otherwise the URL doesn't work as expected!
ric323 wrote:I think he is referring to using a {TEXT} token inside an HTML tag, which most definitely is NOT safe.
Exactly, but WHY? WHERE is the issue? HOW could that be compromised and HOW BIG is the risk by ignoring this warning? Any documentation or hint for further examinations?

Re: Custom BBCodes

Posted: Wed Jul 21, 2010 8:00 pm
by Noxwizard
Because you can break out of any tag that uses {TEXT} and create an XSS vulnerability.

Re: Custom BBCodes

Posted: Thu Jul 22, 2010 4:18 am
by WickedSmile
Is it possible to get a BBcode for G4 videos? Comic Con has started and I'd like to post videos of the footage on my site.


http://g4tv.com/videos/40241/A-Visit-Fr ... rue-Blood/

Embed code

Code: Select all

<object classId="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" width="480" height="418" id="VideoPlayerLg40241"><param name="movie" value="http://g4tv.com/lv3/40241" /><param name="allowScriptAccess" value="always" /><param name="allowFullScreen" value="true" /><embed src="http://g4tv.com/lv3/40241" type="application/x-shockwave-flash" name="VideoPlayer" width="480" height="382" allowScriptAccess="always" allowFullScreen="true" /></object><div style="margin:0;text-align:center;width:480px;font-family:Arial,sans-serif;font-size:12px;color:#FF9B00;"><a href="http://g4tv.com/" style="color:#FF9B00;" target="_blank">Video Games</a> - <a href="http://g4tv.com/e32011" style="color:#FF9B00;" target="_blank">E3 2011</a> - <a href="http://g4tv.com/attackoftheshow/comiccon09/index.html" style="color:#FF9B00;" target="_blank">Comic-Con '09 Live</a></div>

Re: Custom BBCodes

Posted: Thu Jul 22, 2010 4:49 am
by leviatan21
WickedSmile wrote:Is it possible to get a BBcode for G4 videos? Comic Con has started and I'd like to post videos of the footage on my site.
Try this :
BBCode usage

Code: Select all

[g4tv]http://g4tv.com/videos/{NUMBER}/{TEXT}[/g4tv]
HTML replacement

Code: Select all

<object classId="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" width="480" height="418" id="VideoPlayerLg{NUMBER}"><param name="movie" value="http://g4tv.com/lv3/{NUMBER}" /><param name="allowScriptAccess" value="always" /><param name="allowFullScreen" value="true" /><embed src="http://g4tv.com/lv3/{NUMBER}" type="application/x-shockwave-flash" name="VideoPlayer" width="480" height="382" allowScriptAccess="always" allowFullScreen="true" /></object>

Re: Custom BBCodes

Posted: Thu Jul 22, 2010 4:51 am
by ric323
or just this ;)

Code: Select all

[flash=480,418]http://g4tv.com/lv3/40241[/flash]

Re: Custom BBCodes

Posted: Thu Jul 22, 2010 5:12 am
by WickedSmile
Thank you!