BetterPHP

So I think I have the BBCode parser for XHBB pretty much perfected and could do with some free testing if you are interested, this is the most likely place to have security (XSS) issues so it needs some serious testing

If you are interested go to this link http://jacekk.co.uk/bbcode_test/

The the test button will log what you enter and the processed result to mysql so I can look later, it will also show you the result

Valid tags are

[syntax=text][b]test[/b] for bold
[u]test[/u] for underline
[i]test[/i] for italic
[s]test[/s] for line-through
[img]url[/img] for an image
[url]url[/url] for a link[/syntax]
The url tag is a little different to most common ones at the moment as you can also do

[syntax=text][url url="url" title="hover text"]thing to show[/url][/syntax]
either attribute should be optional, if url is left out the thing inside the tag is used. because of the way it detects the thing inside the tag you can also do

[syntax=text][url][img]url[/img][/url][/syntax]
to link to the same image that is displayed. And because the forum will resize large images by default, this is a nice way to easily do click to enlarge

The parser should also try to sort out any tags in the wrong order, so if you do
[syntax=text][b]test[/syntax]
it will do bold text as it auto-closes tags left open,

Also if you do

[syntax=text][b]test[/i][/syntax]
the [/i] will be replaced with a [/b]

The overall aim is to keep the html valid, so if you invalidate it somehow, you win

So a summery of what you should do:
- Go to http://jacekk.co.uk/bbcode_test/
- Try to break it by:
- Looking for XSS exploits
- Trying to invalidate the html by entering mangled bbcode

Thanks in advance, it would be a great help if you could have a go

If you find anything interesting, post your test # here so I can look in the DB

<script type="text/javascript">alert('most simple test');</script>

gave me a pop-up.

By the way, I think, for the URL tag, you should do it just like any other forum does it. You're sort of inventing your own BBCode, which is fine, but I don't think you should do it with such universal tags. Personally I'd just stick to

[syntax]text[/syntax]

just so that everyone knows what to use right off the bat.

well, if the title="" is optional, it doesnt matter, and it allows more info to be given which i like so, i think keep it. since having it wont affect anything

I love that if you do Test[/b ][/i ] it still get's it right and closes in the "valid" order

Now you just need a syntax highlighter

Tino wrote:<script type="text/javascript">alert('most simple test');</script>

gave me a pop-up.

oo... I forgot a htmlentities fixed. that was a bug in the page that I made for testing, not the parser

Tino wrote:By the way, I think, for the URL tag, you should do it just like any other forum does it. You're sort of inventing your own BBCode, which is fine, but I don't think you should do it with such universal tags. Personally I'd just stick to

because of the way it works would be impossible [url]link Is still the same SMF has totally crazy BBCode compared to phpbb.

EcazS wrote:I love that if you do Test[/b ][/i ] it still get's it right and closes in the "valid" order

Cleaver right

[b][i]Test[/b][/i]

For this example what actually happens is that it gets to the [/b] tag, realises the last opened tag was [i] and removes the [/b]. Then the auto-closing puts the [/b] back as it ends up being left open.

EcazS wrote:And how did you type that without it turning into a bold, italic text

There is a disable BBCode checkbox under the preview and submit buttons. Weirdly it does not disable the syntax tags, which is how I made the first post in this topic

The Test # is now a link, e.g. this is my favourite so far http://jacekk.co.uk/bbcode_test/?test_id=12

http://jacekk.co.uk/bbcode_test/index.php?test_id=30

It only autocloses one, maybe try to get it to autoclose all?

bowersbros wrote:http://jacekk.co.uk/bbcode_test/index.php?test_id=30

It only autocloses one, maybe try to get it to autoclose all?

What do you mean ? the i and u tags are both auto-closed in this example.

jacek wrote:

bowersbros wrote:http://jacekk.co.uk/bbcode_test/index.php?test_id=30

It only autocloses one, maybe try to get it to autoclose all?

What do you mean ? the i and u tags are both auto-closed in this example.

oh yes, didnt see the </em>

bowersbros wrote:oh yes, didnt see the </em>

Did it not look italic ?

I thought you were talking about the [/s] tag, auto-opening as well would be harder

As long as it produces valid html I am happy you're not really meant to rely on the auto-closing anyway, it's just a cool way to make the html stay valid.

can you share the code you use for auto closing?

jacek wrote:The Test # is now a link, e.g. this is my favourite so far http://jacekk.co.uk/bbcode_test/?test_id=12

I tried really hard to break it!

You did a really good job Jacek! Well done.

bowersbros wrote:can you share the code you use for auto closing?

Already shared https://github.com/betterphp/XHBB/blob/ ... ss.inc.php around line 255 The validate_tokens() method one line 188 is the thing you are testing

I know it's embarrassingly messy !

Temor wrote:I tried really hard to break it!

You did a really good job Jacek! Well done.

I assume you didn't mange that's good Also thanks.

jacek wrote: I assume you didn't mange

Nope. I even googled for usual custom bbcode glitches and bugs, but none of the ones I found glitched your code.

It's flawless

Temor wrote:It's flawless

Well that sounds promising. thanks for testing so thoroughly

Someone just found a bug !

http://jacekk.co.uk/bbcode_test/index.php?test_id=39
should have done
http://jacekk.co.uk/bbcode_test/index.php?test_id=40

Thank you someone

http://jacekk.co.uk/bbcode_test/index.php?test_id=43

maybe get it to ignore parameters? so the first one doesnt show [hello] but instead hello.

And also, got a random pair of [ ] between my content for invalid tag use.