Topic: Board Description - HTML

HTML is not being processed in board description. In my board description, it has this <a href="viewtopic.php?id=57">here</a>, but it is not displaying it as a link.

Re: Board Description - HTML

I'm removing the call to htmlspecialchars, Paul can revert my change if there was a reason the call was there.

3

Re: Board Description - HTML

Fear I guess.

4 (edited by Jérémie 2008-01-31 16:25)

Re: Board Description - HTML

There's one issue with not escaping: if a beginner admin has illegal glyphs in its simple forum's description (such as &, >, <).

A beginner won't know the xml error (or html validation error), or if he does where it comes from and how easy it is to fix. And a simple description doesn't require HTML.

The best way of fixing this would probably to check for HTML tags in the description string, if there aren't any do a htmlspecialchars. Or have a HTML/no-html checkbox alongside the description field.

However, if this is too far, too complex for PunBB ?simplicity?, it needs to be covered in the documentation (?use named entities instead of forbidden glyphs?), and probably hinted at setup and in the backend.

Re: Board Description - HTML

Or we could leave it as it is, let people create an HTML sanitization extension if they want, and trust that a user who uses content negotiation or wants to have valid XHTML knows enough to fix any mistakes they make? smile

6 (edited by Jérémie 2008-01-31 18:48)

Re: Board Description - HTML

Smartys wrote:

wants to have valid XHTML knows enough to fix any mistakes they make? smile

The first point is absolutely wrong. Apart from selected professionals with a brain, nobody want HTML or XHTML valid code, and nobody want the opposite either, they don't know what it is and they don't. And yet, they all need it.

It's not the job of the average forum admin to know or care about these things, it's the job of the software and applications maker.

The second point is also absolutely wrong. The field say: ?Board description (You may use HTML in the description)?. It says nowhere, nor does it even hint about it, that the string one enter there needs now to be XML proofed ir it will break things.

I think you should either educate the user (read: the one installing, and the one administrating) about what not to do here, or handle it yourself.

This is not under the scope of an extenstion, I don't understand how could it be. The user just want to enter a board description, why would he needs an extenstion (and how will he knows he needs one?) just because he's installing the ?Best things in life?A Wine & Cheese community? forum for example. Removing the htmlspecialchars in the first place could be an extenstion on the other hand, because if someone knows what cite, acronym, or anchor tag are, he may be ok with going the extra step installing and extenstion for it.

Re: Board Description - HTML

Or just allow the use of BBCode in there, problem solved by the mighty parser.

Re: Board Description - HTML

That would be a midway solution, people needing tags and attributes not handled by the light parser would use an extenstion to allow Textile, HTML, or whatever.

9

Re: Board Description - HTML

There is a much simpler solution. Don't let people use html in the description. If somebody wants something fancy at the top of their board then they generally leave the descpription empty and replace the titlel with their own banner. I've never actually been able to work out why we allow this.

Re: Board Description - HTML

Paul: fair point, especially with the extension system and the templates being easy to replace.

Re: Board Description - HTML

elbekko wrote:

Or just allow the use of BBCode in there, problem solved by the mighty parser.

You said it. The "mighty" parser. We don't want to have to fire it up on all pages.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Re: Board Description - HTML

You could cache it.

Re: Board Description - HTML

Yeah, but it's overkill. There are other issues as well. We would only want to support a subset of BBCode. People putting code tags in the description is not something we want.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Re: Board Description - HTML

You could perhaps parse it as a signature then? Or do I remember incorrectly and you can put code tags/quotes in there.

But if you think it's overkill, you're probably right smile
Then just having htmlspecialchars() in place would be best indeed, with an extension to enable HTML.

15 (edited by guardian34 2008-02-01 22:38)

Re: Board Description - HTML

What about entities in the description?

Edit: Would html_entity_decode and htmlentities take care of that?

16

Re: Board Description - HTML

This has been sorted. Its now in a paragraph and the ability to use html has been removed.

Re: Board Description - HTML

Can we still use limited bbcode then? Being able to have a link to something in a board description is a nice trick.

~James
FluxBB - Less is more

Re: Board Description - HTML

No, see Rickard's comments on the subject.

19

Re: Board Description - HTML

Rickard wrote:

People putting code tags in the description is not something we want.

Just out of curiosity. Why?

Re: Board Description - HTML

guardian34 wrote:

Would html_entity_decode and htmlentities take care of that?

This works for me:

htmlentities(html_entity_decode($pun_config['o_board_desc'], ENT_NOQUOTES, 'UTF-8'), ENT_NOQUOTES, 'UTF-8')

Re: Board Description - HTML

MattF wrote:
Rickard wrote:

People putting code tags in the description is not something we want.

Just out of curiosity. Why?

Because it's not what the description field is for. If you want fancy markup, add it to the template.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

22

Re: Board Description - HTML

Rickard wrote:

Because it's not what the description field is for. If you want fancy markup, add it to the template.

I don't. big_smile I was just curious. big_smile

Re: Board Description - HTML

Do entities count as fancy markup?

Re: Board Description - HTML

Now that we're using UTF-8, there's really no need for entities. You should be able to just enter the actual character instead.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

25 (edited by MattF 2008-02-05 23:51)

Re: Board Description - HTML

Rickard wrote:

Now that we're using UTF-8, there's really no need for entities. You should be able to just enter the actual character instead.

But if you enter a description of say: Description & Suchlike

that's going to throw a parser error in Xhtml1.1, or put up a validation error in Xhtml1.0 if it's not being sanitised.

Edit: Granted, the Xhtml1.1/XML argument is fairly moot, at the moment.