Why are you using BBCodes?

vans schoenen at Sun, 05 Feb 2012 23:04:32 +0100

vans schoenen — Sun, 05 Feb 2012 22:04:32 +0000

Use HTML Purifier, it is much much better than BB code which is dumb. I completely agree with your article!

Aloha! at Sun, 09 Oct 2011 18:18:51 +0200

Aloha! — Sun, 09 Oct 2011 16:18:51 +0000

Hey Kore, anything to say about [youtube] and [quote] as gareth mentioned earlier? gareth does make a good point here. These things are great for those non tech savvy and such. I would rather use BBcode, than to waste anyone's time learning to do [youtube] and [quote] alternative.

Adidas schoenen at Fri, 21 Jan 2011 16:20:12 +0100

Adidas schoenen — Fri, 21 Jan 2011 15:20:12 +0000

Great insights in the comments!

bayanlarla sohbet at Sat, 18 Dec 2010 23:25:20 +0100

bayanlarla sohbet — Sat, 18 Dec 2010 22:25:20 +0000

I think Bbcodes very usefl for my forum Vbulletin. For special signatures and good looking profiles it is very necessary. Bbcodes are very functional on forums

ezmoz article at Tue, 24 Aug 2010 15:51:19 +0200

ezmoz article — Tue, 24 Aug 2010 13:51:19 +0000

there is nothing wrong with using an optional WYSIWYG-editors if you wanna make it simple for the users. btw, Thanks for sharing.

Chat at Thu, 01 Jul 2010 01:36:23 +0200

Chat — Wed, 30 Jun 2010 23:36:23 +0000

you super sites. admin thanks:))))

goedkoop geld lenen at Sun, 13 Jun 2010 20:23:17 +0200

goedkoop geld lenen — Sun, 13 Jun 2010 18:23:17 +0000

Use HTML Purifier, it is much much better than BB code which is dumb. I completely agree with your article

Muhabbet at Sun, 13 Jun 2010 17:07:27 +0200

Muhabbet — Sun, 13 Jun 2010 15:07:27 +0000

Sohbet at Sun, 13 Jun 2010 17:06:59 +0200

Sohbet — Sun, 13 Jun 2010 15:06:59 +0000

nice post, thank you..

Snel geld lenen at Mon, 04 Jan 2010 21:34:07 +0100

Snel geld lenen — Mon, 04 Jan 2010 20:34:07 +0000

I like BBcodes, much easier than regular html

Tuna at Fri, 01 Jan 2010 23:57:14 +0100

Tuna — Fri, 01 Jan 2010 22:57:14 +0000

Thanks for the comment Void.

gareth at Fri, 13 Jun 2008 00:46:47 +0200

gareth — Thu, 12 Jun 2008 22:46:47 +0000

bbcode is simpler to parse/validate than a subset of html, and simpler for the user, eg. [youtube]0123456789a[/youtube] [quote=guy]blaa[/quote]

Michael at Wed, 04 Jun 2008 14:22:31 +0200

Michael — Wed, 04 Jun 2008 12:22:31 +0000

Familiarity counts. Whether it's a botched variant of HTML isn't relevant for those users that learned their formatting from forum software. So if your users have lots of experience with posting in forums (or a pre-packaged forum plays a part in your site), using BBCode is the path of least resistance. And I'd rather use Markdown, Textile, roff etc. than a subset of HTML. With a completely separate format, I don't have to keep in mind what tags I can use in this particular textarea...

Kredyt at Wed, 30 Apr 2008 16:15:18 +0200

Kredyt — Wed, 30 Apr 2008 14:15:18 +0000

i use bbcodes, because i work with bulletin boards and its easier to handle than with html. but i agree to kredyt mieszkaniowy, that one language is better than two different:)

Kredyt Mieszkaniowy at Fri, 01 Feb 2008 11:59:23 +0100

Kredyt Mieszkaniowy — Fri, 01 Feb 2008 10:59:23 +0000

Why can we just use one language (inplementation) of HTML, I dont like BBCode :( ???

Pete at Sat, 19 Jan 2008 03:18:57 +0100

Pete — Sat, 19 Jan 2008 02:18:57 +0000

well, BB codes could be advantageous for making comments styling simpler. I can tell you that my community does not want to change back to HTML. regards Pete

Mastodont at Mon, 05 Nov 2007 07:31:40 +0100

Mastodont — Mon, 05 Nov 2007 06:31:40 +0000

BBCode is not the only one markup language and I'm using ML on account of rate and simplicity. Wisiwyg editors usually demand keyboard-mouse-keyboard move, while typing **bold text** or ::italic text:: or ++url text++ is straightforward. With regard to impossibility to validate ML using regular expressions, what about: step 1) translate ML with very simple regexps to (X)HTML step 2) verify resulting code in HTML Purifier

Void at Sun, 09 Sep 2007 14:15:38 +0200

Void — Sun, 09 Sep 2007 12:15:38 +0000

However, I think that insecurity is not inherent to any markup language (or markdown or whatever) The insecurity is in the markup change, the implementation needs to remove the input escaping and add the output escaping (and we need to replace < and > by < and > but also we need to replace & by &, " by " and also ' to '(i think) But most users forget the tree laters, which can lead to serious problems in security :) and my parser won't actually escape this, as he is also able to output Text

Kore at Sun, 09 Sep 2007 09:37:13 +0200

Kore — Sun, 09 Sep 2007 07:37:13 +0000

Thanks for the comment Void. Writing a fast and real parser is of course very much appreciated for existing applications which are still bound to BBCodes.

Void at Fri, 07 Sep 2007 18:34:39 +0200

Void — Fri, 07 Sep 2007 16:34:39 +0000

I'm the author of the php BBCode extension and I'm happy my (early stage) Extension is mentionned here, I'm currently working on a brandly new parser (i've seen many limitations in the current one) However, i have to mention that BBCode is only a convention and that nobody (forums, blogs systems & so on) really parse it the same way, my extension was a try to make a unified approach, my "nexgen" parser is described here: http://news.php.net/php.pecl.dev/4825 I don't think BBCode is the perfect solution, however, it's widespread of use in manyforums and so, so i used it on my website and the parsing was a performance critical operation so, i started the extension. However, I'll be happy to have your feedback on what is "missing" because it's still beta and many new capabilities can be added while still coding. Just mail me suggestions xavier - the at sign - bmco -dot, yes, just dot- eu It's fun that people still uses regex (when it's not str_replace) to "parse" (in fact, it's not parsing, as parsing require a tokenization and lexical analysis, phase). The discussion is however good, and, i agree, BBCode is not a good langage, it's an error, that has been widespread.

Ronald Iwema at Fri, 07 Sep 2007 14:07:47 +0200

Ronald Iwema — Fri, 07 Sep 2007 12:07:47 +0000

@kore I don't agree. Looking at implementing BBCode, u make sure all < and > are replaced by < and >, and then u can process the BBCodes. If u work with a whitelist of allowed HTML elements u have to do more work in implementing it correctly. Also controlling which attributes can be used is easier. Actually I prefer the "don't let users style there comments" approach.

kore at Wed, 05 Sep 2007 16:04:24 +0200

kore — Wed, 05 Sep 2007 14:04:24 +0000

@Ronald Iwema: Where is the difference between a list of BBCodes to transform and a list of allowed (X)Html elements? None.

Ronald Iwema at Wed, 05 Sep 2007 14:34:50 +0200

Ronald Iwema — Wed, 05 Sep 2007 12:34:50 +0000

I think the main reason I would use BB is to control which HTML elements a user can use .

philip at Wed, 05 Sep 2007 03:05:33 +0200

philip — Wed, 05 Sep 2007 01:05:33 +0000

Joakim Nygård at Tue, 04 Sep 2007 15:59:38 +0200

Joakim Nygård — Tue, 04 Sep 2007 13:59:38 +0000

I've never liked BBCode. Every time I get the chance to influence a decision about formatted input, I suggest Markdown. Created by John Gruber (daringfireball.com) it looks like one would format a plain text file. Simple and easy to understand. Security concerns are obviously dependant on the actual code used to parse the Markdown into html and so is not part of the syntax itself. One advantage to using an intermediate syntax and convert it to html is that it gives you the option of outputting it in other structures -updated html/xhtml for instance. In other words, you are not stuch with whatever code was entered but can update the parser to follow new standards.

Kore at Mon, 03 Sep 2007 23:19:13 +0200

Kore — Mon, 03 Sep 2007 21:19:13 +0000

@iamsure: The prove, that you can't use regular expression to validate / parse BBCodes is here: http://kore-nordmann.de/blog/do_NOT_parse_using_regexp.html There is no option for discussion on that, until you either prove some of the basic axioms of common mathematics as wrong, or show, in which way my analytic proof is broken.

Kore at Mon, 03 Sep 2007 23:16:32 +0200

Kore — Mon, 03 Sep 2007 21:16:32 +0000

@Evert: I explicitely said, that blacklisting won't work well. Use whitelistin. I wrote that in the blog post. You of course should never try blacklisting in this context.

iamsure at Mon, 03 Sep 2007 22:27:13 +0200

iamsure — Mon, 03 Sep 2007 20:27:13 +0000

For me, its that I'm familiar with bbcode. I know html, and I know bbcode, but when posting to a forum, or similar, bbcode is what seems most comfortable. My blog (from blogger) supports html, and I've known html for far longer, but yet bbcode seems more comfortable in that context. In my case, I like using bbcode, and its that simple. Its not about security, or ease of use, or even XSS. Its just what I feel comfortable using in that context. But beyond that, its an interesting problem to solve, which I enjoy. Sure, I could tell users to only use html. Or plain text. Or SGML docbook. But supporting technologies that make things easier for users is appealing - even if it is truly challenging to support well. I disagree with your assertion that it has been proven that you cannot implement bbcode with regex. I'd say that its extremely challenging to do well, and to do in multiple levels of nesting. Those are not the same things. :)

mg at Mon, 03 Sep 2007 20:50:48 +0200

mg — Mon, 03 Sep 2007 18:50:48 +0000

I was asking myself why people started using MarkDown or one of the many WikiSyntax in their blogs. Next step would be the same shit in forums. As it goes for my blog i'm using a minimal set of allowed HTML-tags. Basically there is nothing wrong with using an optional WYSIWYG-editors if you wanna make it simple for the users. Just don't use BBCode. Who doesn't understand it doesn't understand it. The argument “it's safer” doesn't count on HTML. You don't need to use blacklists but whitelists with your allowed tags and attributes instead, and a Markup cleanup like tidy. I also ask myself why i always have to see these useless font-family and color-dropdowns in WYSIWYG editors. Give the users a format dropdown! Induvidualism is a no-go on forums! Just a basic set of XHTML 1.1 formatting is enough!

Tobias Struckmeier at Mon, 03 Sep 2007 19:39:31 +0200

Tobias Struckmeier — Mon, 03 Sep 2007 17:39:31 +0000

@ Evert: You don't want blacklisting. You want whitelisting which you can achieve with several classes which rebuild the input DOM, but only with the "save" elements and with validated attribute values. An additional benefit of html input for "rich text enabled" fields is that you have the possibility of using the browser as a wysiwyg html editor. Anybody is able produce html code that way. And I don't see the extra fallback you speak of? People which let bypass