Why arent bbcodes protected functions

[chasz]

if ipb is worried about skinner inserting dubious codes in the skins then

why not set up a cutrom key for each bbcode

[Ryan H.]

uh... what?

[Tom Christian]

ha :P that is a good suggestion. I'm sure IPS will check for these things though. Regardless of that anyway, I don't think anyone would really in their right mind do such a thing ;)

[bfarber]

Yeah I'm lost. Can you explain your suggestion please?

[chasz]

OK every forum has a special custom key: ipb, gottalk, invisionize etc

so when bbcodes are run, the skin has to check for this key

BUT i am lost !!! i can run ALL javascripts through the skins anyways, so why bother to parse it out of the bbcodes?? especially when the admin is the only ones who can edit them !!

If you mean that the editors in the ACP are the same as the front, and they use the same functions, they why NOT write a secondary function for the ACP and admins?

[Michael]

Ah, so it's yet another topic about you wanting to use javascript in code in the editor. :rolleyes:

[bfarber]

Ah, ok. To summarize...

You want to be able to use javascript in the editor.

[chasz]

i need to be able to allow js thru bbcodes !! bbcodes are the filter for public posting. if i can use bbcodes i need to do so from anywhere

[Smokey-Rev]

Wouldn't that cause potential security issues though? Allowing javascript to be posted?

[chasz]

[quote name='Smoke-ZB' date='27 May 2009 - 05:48 AM' timestamp='1243399693' post='1805493']
Wouldn't that cause potential security issues though? Allowing javascript to be posted?



you tell me dude. the whole web 2 is based on JS.....the JS function is wrapped up in bbcodes, and the output is through IPB. Its as controlled as u can get it....

why do a hard stripping and then leave it all open in the skin?? Sounds all Maginot Line to me !!

Its like shooting off ya leg because you got a snake bite; sometime u have to but is it this time?

[Mark]

[quote name='Smoke-ZB' date='27 May 2009 - 05:48 AM' timestamp='1243399693' post='1805493']
Wouldn't that cause potential security issues though? Allowing javascript to be posted?


Yes.

[Brett B]

Bring back neg rep please

[bfarber]

You need to change how you do what you are trying to do. I don't even know what you are trying to do, but you can always just give your content a class in the bbcode and then use javascript in your skin to execute on that class

// Here's your javascript code to execute on element });

But this isn't the place for support. I feel relatively confident in saying we won't be bringing in javascript to be allowed via the editor itself. Can't say for sure about custom bbcodes, but ultimately security is going to trump functionality when it's a non-essential feature.

$$('.someclass').each( function(element) {