Board Description - HTML (Page 1 of 3)

I'm removing the call to htmlspecialchars, Paul can revert my change if there was a reason the call was there.

There's one issue with not escaping: if a beginner admin has illegal glyphs in its simple forum's description (such as &, >, <).

A beginner won't know the xml error (or html validation error), or if he does where it comes from and how easy it is to fix. And a simple description doesn't require HTML.

The best way of fixing this would probably to check for HTML tags in the description string, if there aren't any do a htmlspecialchars. Or have a HTML/no-html checkbox alongside the description field.

However, if this is too far, too complex for PunBB ?simplicity?, it needs to be covered in the documentation (?use named entities instead of forbidden glyphs?), and probably hinted at setup and in the backend.

The first point is absolutely wrong. Apart from selected professionals with a brain, nobody want HTML or XHTML valid code, and nobody want the opposite either, they don't know what it is and they don't. And yet, they all need it.

It's not the job of the average forum admin to know or care about these things, it's the job of the software and applications maker.

The second point is also absolutely wrong. The field say: ?Board description (You may use HTML in the description)?. It says nowhere, nor does it even hint about it, that the string one enter there needs now to be XML proofed ir it will break things.

I think you should either educate the user (read: the one installing, and the one administrating) about what not to do here, or handle it yourself.

This is not under the scope of an extenstion, I don't understand how could it be. The user just want to enter a board description, why would he needs an extenstion (and how will he knows he needs one?) just because he's installing the ?Best things in life?A Wine & Cheese community? forum for example. Removing the htmlspecialchars in the first place could be an extenstion on the other hand, because if someone knows what cite, acronym, or anchor tag are, he may be ok with going the extra step installing and extenstion for it.

That would be a midway solution, people needing tags and attributes not handled by the light parser would use an extenstion to allow Textile, HTML, or whatever.

Paul: fair point, especially with the extension system and the templates being easy to replace.

You could cache it.

You could perhaps parse it as a signature then? Or do I remember incorrectly and you can put code tags/quotes in there.

But if you think it's overkill, you're probably right
Then just having htmlspecialchars() in place would be best indeed, with an extension to enable HTML.

This has been sorted. Its now in a paragraph and the ability to use html has been removed.

No, see Rickard's comments on the subject.

This works for me:

htmlentities(html_entity_decode($pun_config['o_board_desc'], ENT_NOQUOTES, 'UTF-8'), ENT_NOQUOTES, 'UTF-8')

I don't. I was just curious.

Now that we're using UTF-8, there's really no need for entities. You should be able to just enter the actual character instead.