Sugestion: Custom bbcode security improvement

[Vitaly]

I think, current custom bbcodes lack of security. It's impossible to control parameters content. The most simple example: bbcode (published many times at this forum). There are no ways to filter <,",>,& and other signs from video ID. So, bad ID can spoil generated HTML code.

I offer to add a field for regular expression, that should be applied to bbcode parameter. It can strip unwanded symbols or freeze convertion to HTML if condition doesn't match.

The benefits is:
- easy to implement
- enougth to give necessary security for most cases.

May be, that can be included in the nearest release?

[Vitaly]

Hmm... no reaction after one week.

Is this suggestion stupid / useless / not needed ?

[bfarber]

No, it's a good idea. But we plan on overhauling the custom bbcode system (and implementing a lot of great ideas Cy posted several months ago) in 3.x roughly...so this would wait until then most likely.

[Jaggi]

link to cy post bfarber?

[Vitaly]

No, it's a good idea. But we plan on overhauling the custom bbcode system (and implementing a lot of great ideas Cy posted several months ago) in 3.x roughly...so this would wait until then most likely.

Anyway, good news. Thanks for reply.

[bfarber]

link to cy post bfarber?

http://forums.invisionpower.com/index.php?...=215353&hl=

[Vitaly]

Thanks great,

I have one more proposal. If you plan to make a really flexible bbcode system, you could add php fucnctions in each bbcode config. That's not difficult to implement. Then no needs to make separate fields for regular expressions.

[Jaggi]

http://forums.invisionpower.com/index.php?...=215353&hl=

no wonder i was confused trying to find it, THE GUY IS CALLED LUKE :P.

[stobbo]

no wonder i was confused trying to find it, THE GUY IS CALLED LUKE :P.

He used to be called Cy ;)