Why should I use BBCode but not HTML in comment forms?

Asked 1/9, 2011 at 8:51 Answered 26/11, 2013 at 10:22

I'm writing a comment parsing function in PHP.

Since BBCode is not a real markup language, I'v never liked the writing style.
So I'm giving visitors the ability to use basic HTML code in comment forms.
And when posting, PHP will check for disallowed and invalid tags/attributes, and either replace or remove them.

I believe it does the same job and output exactly the same as with BBCode.

If this is true, why are there BBCode? Does BBcode have any advantages over HTML?

update

as monochrome answered

If you're confident that your HTML filter is safe enough, you should be fine though

well, I'm not confident writing the filter myself, but there are some top-rated filters out there like PHP Simple HTML DOM Parser, HTML Purifier, htmLawed...

The BBCode is developed by UBB and still being widely used, such as phpBB.

Are the developers from UBB/phpBB not confident about their skills to write a perfect HTML filter? (I guess not)

Also, like the Markdown that StackOverflow's using...if HTML+Parser does the job, why invent another "language" anyway? (except for saving a few bits...)

Casuist answered 1/9, 2011 at 8:51 Comment(5)

I think HTML markup is quite easily exploited and your check is workaround. Hackers can be quite ingenious when it comes to finding security holes ;) – Irrepressible 1/9, 2011 at 8:58

@Irrepressible So this is about me/PHP VS hackers. well, maybe I should'v added "IF...my parsing system is WELL/STRICTLY written." I'd really like to see a hacking example against an html-allowed-comment-form. – Casuist 1/9, 2011 at 9:5

As a sidenote, see #199517 – Assamese 1/9, 2011 at 9:11

@niks thanks nikc, I'm currently choosing among PHP Simple HTML DOM Parser, HTML Purifier, and htmLawed. – Casuist 1/9, 2011 at 9:18

It is an extremely difficult job to write a HTML filter that keeps out script and it requires constant maintenance as each new browser is released and the way that people use html changes. make sure you subscribe to new releases of the filter you choose and keep it up-to-date. – Bergama 1/9, 2011 at 13:2

It's main advantage is the prevention of unwanted code injections. That's why I would use something like BBCode or Markdown.

At least you should work with a White-List of allowed HTML-Tags and not with blacklisting.

Nabataean answered 1/9, 2011 at 9:7 Comment(1)

Every single (body) tag can have script attached to it's attributes e.g. style. You will also need a whitelist of attr names. – Bergama 1/9, 2011 at 13:13

BBCode eliminates the issue that your HTML filter might have bugs so that the commenter can comment code he's not supposed to comment. If you're confident that your HTML filter is safe enough, you should be fine though.

Another problem is that HTML comments might break your layout, e.g. when the commenter puts in a single closing </div> or something like that.

Plankton answered 1/9, 2011 at 9:0 Comment(1)

No it doesn't. The BBCode parser might have bugs that allow XSS too. – Paxwax 1/9, 2011 at 9:10

BBCode became popular as allowing the user a limited access to html while trying to prevent XSS. BBCode became popular before there where solutions like HTML Purifier. In all reality BBCode and Html Purifier have their own security problems. Its just that BBCode was a more simple solution to this problem.

Leavelle answered 1/9, 2011 at 14:57 Comment(0)

Use BBcode + convert all left tag to htmlspecialchar seems to be totally XSS free for me. ( unless BBcode parser is really super bad designed )

Ultimately, both of them reach the same goal. Currently I choose BBcode because HTMLpurifier auto strip tag instead of replacing left Tag with html specialChar. At least in the demo I didn't see the function keeping the left Tag.

So there's some problem as we want user to write < instead of auto convert it to < . And some more issue of laziness to validate all data.

Spoke answered 26/11, 2013 at 10:22 Comment(0)

update

Recommended topics

Hot tags