Closed CriseX closed 11 years ago
same
After giving it some thought, while string replacements are nice, why not leave the method of replacement up to the user... ie. rather than supply html replacement to the addBBCode use a php callable, which means whoever adds the bbcode is now able to do whatever sanity checks they need.
It would also allow addBBCode to theoretically support tags with multiple attributes, because said attributes could be passed to the provided callable as an associative array rather than having to map them to some identifier scheme (of course the current parser class would need to be adapted for it).
Can you elaborate on the double quotes when adding new bbcode?
$parser->addBBCode("quote", 'div class="quote"{param}/div');
is the above secure? (took out < and >)
To be clear about what I said in the first post, following those instructions is not 100% secure, as for your quote question, yes, although it only matters if you allow user input within attributes so in above example it would actually make no difference.
Regarding security, consider the following... even with my suggestion the following BBCode is exploitable:
$parser->addBBCode("url", "<a href=\"{option}\">{param}</a>", true);
because even with the escaping applied before calling parse and even with double quotes around attribute name, preventing adding of additional attributes, the value itself (option) is not validated to be an actual url... so user could embed say javascript in it.
I think your concerns may have at least partially been addressed by 426e5248.
Just a suggestion about the examples on the web page, you should at least add the following notes to them as general recommendations.
I know security can be seen as somewhat non-issue for a middleware like jbbcode, however, ideally the concept of {option} and {param} could be enhanced/expanded to allow things like {attribute} etc. with some limits, or at the very least allowing users to externally specify the default CodeDefinition to use for bbcode's added via addBBCode.
Yes it is possible of course by deriving Parser and re-implementing addBBCode, but a geniune interface for it would be nicer.