BBCode question output HTML

HTML Code

ez	#1 2010-01-31 22:25
Contributors Bedankt: 10 tijden	Hi you all, I want to let the users add HTML code to their articles. I have made a bbcode like this: [html_code][/html_code] The bbcodes work, but the $1 gets translated so the text is showing, but not as HTML. all special characters are escaped. Is there a way to do this ???? I want this, because they want to add <embed xxx yyy zzz </embed> stuff hope someone can help or maybe someone has a better idea, Leo (ez) p.s. I do not want to activate the possibility so they can type pure HTML.. ==- I say: Keep it EZ -==

#1 2010-01-31 22:25

Hi you all,

I want to let the users add HTML code to their articles.
I have made a bbcode like this: [html_code][/html_code]

The bbcodes work, but the $1 gets translated so the text is showing, but not as HTML.
all special characters are escaped.

Is there a way to do this ????

I want this, because they want to add <embed xxx yyy zzz </embed> stuff

hope someone can help or maybe someone has a better idea,

Leo (ez)

p.s. I do not want to activate the possibility so they can type pure HTML..

==- I say: Keep it EZ -==

Trustmaster	#2 2010-01-31 23:32
Administrators Bedankt: 265 tijden	Why not add proper embed bbcodes instead? BBcode parser doesn't accept any HTML. May the Source be with you!

ez	#3 2010-01-31 23:45
Contributors Bedankt: 10 tijden	You are right, but i have so many variables in there... I do not know wich ones are standard Look at this code: <embed src="http://pauwenwitteman.vara.nl/typo3conf/ext/vara_flashplayer/player/player.swf" AllowScriptAccess="always" width="480" height="320" bgcolor="262626" allowfullscreen="true" flashvars="config=http://pauwenwitteman.vara.nl/index.php%3Fid%3D113%26type%3D9010%26tx_varaflashplayer_xmlgenerator%5Bconfig%5D%3D4839%26tx_varaflashplayer_xmlgenerator%5Bembed%5D%3D1%26cHash%3D98e1a6d4ef" ></embed> So thats the thing, every embed element will be so different Do you have an idea on how to make this ==- I say: Keep it EZ -==

#3 2010-01-31 23:45

Contributors
Bedankt: 10 tijden

You are right, but i have so many variables in there...
I do not know wich ones are standard

Look at this code:
<embed src="http://pauwenwitteman.vara.nl/typo3conf/ext/vara_flashplayer/player/player.swf" AllowScriptAccess="always" width="480" height="320" bgcolor="262626" allowfullscreen="true" flashvars="config=http://pauwenwitteman.vara.nl/index.php%3Fid%3D113%26type%3D9010%26tx_varaflashplayer_xmlgenerator%5Bconfig%5D%3D4839%26tx_varaflashplayer_xmlgenerator%5Bembed%5D%3D1%26cHash%3D98e1a6d4ef" ></embed>

So thats the thing, every embed element will be so different

Do you have an idea on how to make this

==- I say: Keep it EZ -==

Twiebie	#4 2011-11-25 01:57
Team Bedankt: 74 tijden	#22502 Trustmaster: Why not add proper embed bbcodes instead? BBcode parser doesn't accept any HTML. Sorry for bumping an old topic, but I do have a question on this. Would it not be possible to create something like a bbcode for a HTML container that can allow embedding?
Team Bedankt: 74 tijden	Dit bericht is bewerkt door Twiebie (2011-11-25 03:30, 13 jaren ago)

ez	#5 2011-11-25 06:21
Contributors Bedankt: 10 tijden	i have made it.... [html] [/html]... BUT it needs corehacking. And I question if it is safe.. ==- I say: Keep it EZ -==

Trustmaster	#6 2011-11-25 08:44
Administrators Bedankt: 265 tijden	What kind of container does an embed need? Added 1 minute later: Ah, got it, so you added a bbcode for raw HTML. Well, it isn't any safe because one can put malicious JavaScript in it and steal admin credential when he browsers the page. May the Source be with you!

ez	#7 2011-11-25 10:36
Contributors Bedankt: 10 tijden	Question.... Would it be safe if I would strip any <script> </script> tags from the content inside the HTML BBcode users input.... ??? Would that be enough for safety... ?? By the way I made that functions just for admins... so I am the only one that can do that.. and i made it for fixed areas.. For example I put blocks of HTML above lists (So kinda like a page above a list) DEVIL Big Brother is Watching !!! I know that IF i put Googles Analytics JS script on my site, then they could intercept all my POST data (so also my login credentials) A lot off people do NOT realize this !! Google knows everything ... ==- I say: Keep it EZ -==

#7 2011-11-25 10:36

Contributors
Bedankt: 10 tijden

Question....
Would it be safe if I would strip any <script> </script> tags from the content inside the HTML BBcode users input.... ???
Would that be enough for safety... ??

By the way
I made that functions just for admins... so I am the only one that can do that.. and i made it for fixed areas..
For example I put blocks of HTML above lists (So kinda like a page above a list)

DEVIL Big Brother is Watching !!!
I know that IF i put Googles Analytics JS script on my site, then they could intercept all my POST data (so also my login credentials)
A lot off people do NOT realize this !!
Google knows everything ...

==- I say: Keep it EZ -==

Trustmaster	#8 2011-11-25 13:58
Administrators Bedankt: 265 tijden	Yes, it is quite safe if it is for admins only. Otherwise you need something like HTML Purifier to sanitize the html. May the Source be with you!