Jump to content

Feature - BBCode PHP Processor


Guest StrangeWill

Recommended Posts

An awesome feature I would think is the ability to include a PHP file with a BBCode that you setup, basically so that you can execute some logic code needed for proper formatting. It makes it easy to redistribute BBCode and also allows for a HUGE range of things you can use (not to mention, you can access the entire IPB library for additional processing).


Basically just a function that hands off the user input in certain fields, and whatever value is returned is the generated output... :P Simple, easy, extremely effective, extremely powerful.

Link to comment
Share on other sites

That'd be awesome for things like video embedding - so that the user could just paste the entire video URL, instead of trying to explain how to find the video ID, etc.

Cool idea. :D

Link to comment
Share on other sites

I'm afraid I don't completely follow... you want your members to create their own bbcode? seems awfully dangerous to me if you want that.

Link to comment
Share on other sites

I did this as a modification in 2.1... It's not a very complicated thing to do, as long as you have the bbcode parser setup right and make sure the same file isn't included or declared more than once (if two bbcodes use the same php plugin).

Decided to remove it when I upgraded to 2.2 because I'm sick of the time it takes me to make custom modifications to the source code... We used a "random" tag which was really popular among my community. Out of all the custom things I removed, that recieved the most complaint of all...

Would be very sweet if it was added in 2.2.3 :wub:

I'd donate money! o:)

(May have been mentioned earlier, but it would make PHP syntax highlighting extremely simple to do)

Link to comment
Share on other sites

  • 2 weeks later...

I would disagree.. That would be a security issue. The best way to do this, like any other module, would be for the admin to upload it via FTP and type in the file name.



How would it be a security issue :blink: Unless I'm misunderstanding, he is saying admins should be able to share custom BB code by exporting them as XML for other site owners to import to their installation. Makes sense to me.
Link to comment
Share on other sites

How would it be a security issue :blink: Unless I'm misunderstanding, he is saying admins should be able to share custom BB code by exporting them as XML for other site owners to import to their installation. Makes sense to me.



I'm guessing Luke is thinking along the lines of "Can you trust your admins?". I'd personally never give someone access to my ACP if I didn't, but clearly not everyone shares that. :)
Link to comment
Share on other sites

Exporting isn't much of a problem. Importing is more of the issue. You don't want anyone, even with AdminCP access, to execute PHP code at will. It's enough that the settings has had the raw php thing... That was replaced with a settings plugin, which you would have to upload with PHP. The only reason why raw php is still there is for legacy reasons... I don't see the raw php thing staying in the next major version (not counting 2.3).

And if you can't import, there's no sense in exporting it. And the other potential issue is if someone did get into your AdminCP, would you want them downloading your files. If an import/export thing were added like you mentioned, it would have to be added for components and other things as well. I suppose to make it secure you could add a define in init.php to allow import/export.... You would just turn it on when you need it... But it would be easier just to upload the file in that case.

And it's more than "do you trust your admins". It's "what if someone gets into your AdminCP?". It has happened to people before... I don't know how common it is in 2.2, but nothing is impossible. If it happened to me, I wouldn't want them to have access to PHP.... It's bad enough they would have DB access.

Link to comment
Share on other sites

If someone gets into my ACP he'll just delete my entire forum. :P

I figure this may be a feature only set to root admins maybe?


I figure the import would just do the same thing (create a PHP file in the BBCode directory with the code inside of it), just minus FTP access. Maybe make it so the root admin has to approve before it is created into a file (it sits in a queue?)

Link to comment
Share on other sites

i think it makes more sense and is definitely more secure to have a folder for custom bbcode and a field in the custom bbcode area where you put in the name of the file. then people just have to upload the file, it could make sense that if there becomes a lengthy settings area for custom bbcode then be able to export them BUT the php file code should definitley ONLY be uploadable.

Link to comment
Share on other sites

The same "safety" argument could be said for skins, skin images, emotes, badwords, and....bbcode (already). There is nothing wrong with importing via a file. Just be sure, like a program on your PC, that you use uploads from a reliable source. There is no need to upload a php file. It could be serialized, encoded, and included in the XML file for upload. It is far easier this way and more reliable.

Link to comment
Share on other sites

the skins import html from xml tho so theres no real opportunity to put in some php code that could potential leading to a hacking of your forum. importing php from a php file is far more less secure. the encode xml idea is better but its still more complicated that just uploading a php file like you do with the portal and profile portal and components.

Link to comment
Share on other sites

There is no need to upload a php file. It could be serialized, encoded, and included in the XML file for upload. It is far easier this way and more reliable.



Come on, read my posts before fighting them please. ;)
Link to comment
Share on other sites

And the fact that you would be able to upload and execute PHP code from the Admin panel makes it a security risk if someone got inside of it. Safest way is have the admin installing it upload the file to the correct directory and type in the file name in AdminCP.

All the other import functions don't import PHP files.

Link to comment
Share on other sites

You aren't executing anything! Look at group settings. You can use PHP in those in the same manner that you are requesting here. So I guess that is a threat as well according to your logic. No, I'm not saying that you upload and execute any file from the ACP. PHP is nothing but TEXT until you tell it to be otherwise. While it is contained in an XML file it is text, unless you run EVAL on it. The data could then be store in the database (like group settings) and/ or cache to a php file. The php file or database store would then only be processed if the bbcode it is assigned to is called on. If you use an untrusted source, anything is a security risk. You can't protect everything. Be smart about whom and what you choose to download and install. Using an automated process instead of manually installing is no more a risk than the manual install.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...