Custom BBCodes [Deprecated]

AmigoJack · Post by **AmigoJack** » Tue Jul 20, 2010 11:53 am

The current usage of [ u ] and most of the examples for [ s ] or [ strike ] are using deprecated HTML-tags. Believe it or not, but for anything you ever wanted to underline or strike-trough HTML already has the Tags <ins> and <del>. So the best practice for BBcodes should be:

BBcode "underline":

Code: Select all

[u]{TEXT}[/u]

HTML replacement:

Code: Select all

<ins>{TEXT}</ins>

BBcode "strike-through":

Code: Select all

[s]{TEXT}[/s]

HTML replacement:

Code: Select all

<del>{TEXT}</del>

There is even no need to apply CSStyles to it - all major browsers today seem to automatically show underlines and strike-troughs (tested on FFOX3, OPER10, MSIE7).

updown · Post by **updown** » Tue Jul 20, 2010 5:38 pm

updown wrote:I have the same problem whenever I need to pass a specific attribute into an URL, where full TEXT support is necessary. Example:
Code: Select all
<a href="http://myurlxxxx.com/index.php?q={TEXT}">...</a>
FIRST:
I need all chars available, including UTF8 and special chars for a correct URL. Is there an other solution instead of "{TEXT}"?

SECOND:
Is there a documentation or an example anywhere that helps judging the risk of an XSS-vulnerability within these kind of tags in phpBB? Since special-chars like ' < ' or '"' are beeing html-encoded, I've no clue where exactly the problem is. (I found nothing concrete about this by searching intensively).

Thanks in advance for helpful answers!

anyone?

AmigoJack · Post by **AmigoJack** » Wed Jul 21, 2010 6:51 am

In ACP > Posting > Message > BBCodes the available tokens are even explained:
{INTTEXT} Unicode letter characters, numbers, spaces, commas, dots, minus, plus, hyphen, underscore and whitespaces.
Which problem? This has always been one of BBCode's intentions: to avoid HTML and sanitize any formatting input. This way nobody can e.g. use style-tags to include foreign documents. Do you have any example that might point to an issue which makes BBCode unsafe?
I've no clue where exactly the problem is

ric323 · Post by **ric323** » Wed Jul 21, 2010 7:08 am

AmigoJack wrote:...
[*]Which problem? This has always been one of BBCode's intentions: to avoid HTML and sanitize any formatting input. This way nobody can e.g. use style-tags to include foreign documents. Do you have any example that might point to an issue which makes BBCode unsafe? ...

I think he is referring to using a {TEXT} token inside an HTML tag, which most definitely is NOT safe.

kevb8ll · Post by **kevb8ll** » Wed Jul 21, 2010 10:33 am

How can I embed the following using BBcode?:

http://v.sports.163.com/video/2010/7/D/7/V6AVOICD7.html

It's a flash embedded file in a HTML page.

I already have a BBcode default set up for youtube - but can't get this to work.

Kev

ric323 · Post by **ric323** » Wed Jul 21, 2010 10:51 am

Something like this?

Code: Select all

[flash=492,397]http://img1.cache.netease.com/flvplayer081128/~true~0005_V6AVOICD7~vimg1.ws.126.net/image/snapshot/2010/7/D/8/V6AVOICD8~.swf[/flash]

kevb8ll · Post by **kevb8ll** » Wed Jul 21, 2010 11:00 am

Cheers mate.

What does the 492/397 denote, the size of the player window? If so all I need to change is any url after that?

How did you extract the direct link?

ric323 · Post by **ric323** » Wed Jul 21, 2010 11:19 am

kevb8ll wrote:What does the 492/397 denote, the size of the player window?

Yes.

If so all I need to change is any url after that?

How did you extract the direct link?

By viewing the page source for the page you linked to (and looking for a reference to a ".swf" file).
In particular:

Code: Select all

 <object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" id="CoreVPlayer" width="492" height="397" codebase="http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab">
            <param name="movie" value="http://img1.cache.netease.com/flvplayer081128/~true~0005_V6AVOICD7~vimg1.ws.126.net/image/snapshot/2010/7/D/8/V6AVOICD8~.swf" />
            <param name="quality" value="high" />
            <param name="bgcolor" value="#ffffff" />
            <param name="allowfullscreen" value="true" />
            <param name="allowScriptAccess" value="always" />
            <embed src="http://img1.cache.netease.com/flvplayer081128/~true~0005_V6AVOICD7~vimg1.ws.126.net/image/snapshot/2010/7/D/8/V6AVOICD8~.swf" quality="high" bgcolor="#ffffff" width="492" height="397" name="CoreVPlayer" play="true"    loop="false"quality="high" allowScriptAccess="always" allowfullscreen="true" type="application/x-shockwave-flash" pluginspage="http://www.adobe.com/go/getflashplayer"></embed>
            </object>

From that:
<param name="movie" value="http://img1.cache.netease.com/flvplayer ... OICD8~.swf" />
width="492" height="397"

kevb8ll · Post by **kevb8ll** » Wed Jul 21, 2010 3:15 pm

Thank you for that - I appreciate your help.

Kev

updown · Post by **updown** » Wed Jul 21, 2010 6:46 pm

AmigoJack wrote:In ACP > Posting > Message > BBCodes the available tokens are even explained:
{INTTEXT} Unicode letter characters, numbers, spaces, commas, dots, minus, plus, hyphen, underscore and whitespaces.

INTTEXT doesn't allow " or other specialchars like < or >, but in some Urls you definately have to pass them with the variable, otherwise the URL doesn't work as expected!

ric323 wrote:I think he is referring to using a {TEXT} token inside an HTML tag, which most definitely is NOT safe.

Exactly, but WHY? WHERE is the issue? HOW could that be compromised and HOW BIG is the risk by ignoring this warning? Any documentation or hint for further examinations?

Post by **Noxwizard** » Wed Jul 21, 2010 8:00 pm

Because you can break out of any tag that uses {TEXT} and create an XSS vulnerability.

WickedSmile · Post by **WickedSmile** » Thu Jul 22, 2010 4:18 am

Is it possible to get a BBcode for G4 videos? Comic Con has started and I'd like to post videos of the footage on my site.

http://g4tv.com/videos/40241/A-Visit-Fr ... rue-Blood/

Embed code

Code: Select all

<object classId="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" width="480" height="418" id="VideoPlayerLg40241"><param name="movie" value="http://g4tv.com/lv3/40241" /><param name="allowScriptAccess" value="always" /><param name="allowFullScreen" value="true" /><embed src="http://g4tv.com/lv3/40241" type="application/x-shockwave-flash" name="VideoPlayer" width="480" height="382" allowScriptAccess="always" allowFullScreen="true" /></object><div style="margin:0;text-align:center;width:480px;font-family:Arial,sans-serif;font-size:12px;color:#FF9B00;"><a href="http://g4tv.com/" style="color:#FF9B00;" target="_blank">Video Games</a> - <a href="http://g4tv.com/e32011" style="color:#FF9B00;" target="_blank">E3 2011</a> - <a href="http://g4tv.com/attackoftheshow/comiccon09/index.html" style="color:#FF9B00;" target="_blank">Comic-Con '09 Live</a></div>

leviatan21 · Post by **leviatan21** » Thu Jul 22, 2010 4:49 am

WickedSmile wrote:Is it possible to get a BBcode for G4 videos? Comic Con has started and I'd like to post videos of the footage on my site.

Try this :
BBCode usage

Code: Select all

[g4tv]http://g4tv.com/videos/{NUMBER}/{TEXT}[/g4tv]

HTML replacement

Code: Select all

<object classId="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" width="480" height="418" id="VideoPlayerLg{NUMBER}"><param name="movie" value="http://g4tv.com/lv3/{NUMBER}" /><param name="allowScriptAccess" value="always" /><param name="allowFullScreen" value="true" /><embed src="http://g4tv.com/lv3/{NUMBER}" type="application/x-shockwave-flash" name="VideoPlayer" width="480" height="382" allowScriptAccess="always" allowFullScreen="true" /></object>

ric323 · Post by **ric323** » Thu Jul 22, 2010 4:51 am

or just this

Code: Select all

[flash=480,418]http://g4tv.com/lv3/40241[/flash]

WickedSmile · Post by **WickedSmile** » Thu Jul 22, 2010 5:12 am

Thank you!

advertisements