Forum BBCodes

Any problem ? Don't panic! We have the solution !

Moderator: TM-Patrol

Post Reply
User avatar
Ant
TM-Patrol
TM-Patrol
Posts: 1845
Joined: 01 Dec 2007 17:04
Owned TM-games: TMN, TMUF, TM Wii
Location: London, England
Contact:

Forum BBCodes

Post by Ant » 16 Aug 2010 17:46

Apologies if this is in the wrong place, but I have a quick question. I recently made my own phpBB forum for my website and I wanted to add some BB codes to the posts, I found out the codes for manialink and server are as follows :

Manialink: e.g [manialink=][/manialink]

Code: Select all

[manialink={SIMPLETEXT}]{SIMPLETEXT2}[/manialink]

<a href=tmtp:///:{SIMPLETEXT}>{SIMPLETEXT2}</a>
Server: e.g [server=][/server]

Code: Select all

[server={SIMPLETEXT}]{SIMPLETEXT2}[/server]

<a href=tmtp://#join={SIMPLETEXT}>{SIMPLETEXT2}</a>
But what is the proper code to add for the score button ? I tried a few different things, but I can't work it out :?

Edit: Most recently I have tried this for score:

Code: Select all

[score]{SIMPLETEXT}[/score]

<a href>tmtp://#score={SIMPLETEXT}</a>
Which also doesn't work - but to me, looks like it really should. Does anyone know what i'm doing wrong here ?

Edit: I also tried this for the html replacement

Code: Select all

<a href=tmtp://#score={SIMPLETEXT}>{SIMPLETEXT}</a>
And that also doesn't work :? :?

Actually, could a board admin just tell me what these codes are please - someone must have had to add them here.

User avatar
Ant
TM-Patrol
TM-Patrol
Posts: 1845
Joined: 01 Dec 2007 17:04
Owned TM-games: TMN, TMUF, TM Wii
Location: London, England
Contact:

Re: Forum BBCodes

Post by Ant » 18 Aug 2010 17:09

Its ok now, I can get score tags like this:

BBCode usage

Code: Select all

[score]{SIMPLETEXT1}:{SIMPLETEXT2}:{SIMPLETEXT3}:{SIMPLETEXT4}[/score]
HTML replacement

Code: Select all

<a href="tmtp://#score={SIMPLETEXT1}:{SIMPLETEXT2}:{SIMPLETEXT3}:{SIMPLETEXT4}">{SIMPLETEXT1}:{SIMPLETEXT2}:{SIMPLETEXT3}:{SIMPLETEXT4}</a>
It's not exactly like it is on this forum, but it's close enough. I got this from help at the phpBB forum.

Edit: With this code the user would type

Code: Select all

[score]nickname:challenge:time[/score]
and leave out the tmtp://#score= part.

Edit: Could someone please still help me out with how its implemented here though ?

User avatar
BLaHiTiS
lord of the roads
lord of the roads
Posts: 3331
Joined: 12 Aug 2005 15:46
Owned TM-games: tmu tmo tms tmn
Manialink(s): muxitis
Location: Hasselt, Limburg, Belgium
Contact:

Re: Forum BBCodes

Post by BLaHiTiS » 18 Aug 2010 21:38

Code: Select all

[score]{TEXT1}[/score]
<a href={TEXT1}>{TEXT1}</a>
I don't exactly know why I didn't use simpletext here , i vaguely remember that I had to do it like this because simpletext would fail at parsing some symbols correctly or something like that, probably the: And to make a bb code that chops up time and challenge would be a bit complicated for the user because they would have to extract that from the url, so it's better just to parse the whole thing as text and hope their tmtp:// protocol is propperly defined for links
Image

  • MB:Asus P8 H61
  • CPU:Intel i5 2400
  • RAM:8 Gb
  • GFX:Asus GTX-580 (1500mb DDR5) - Forceware 75.33
  • DirectX: June 2011
  • SND:Realtek HD on mobo
  • OS:Windows 7 SP1- Home Premium
[/size]

User avatar
Ant
TM-Patrol
TM-Patrol
Posts: 1845
Joined: 01 Dec 2007 17:04
Owned TM-games: TMN, TMUF, TM Wii
Location: London, England
Contact:

Re: Forum BBCodes

Post by Ant » 18 Aug 2010 21:40

Ok thank you very much, i'll try that now and post back my results.

Edit: Nice one, it works :D The only thing is, in the ACP I got this message
Warning
The BBCode you are trying to add seems to use a {TEXT} token inside a HTML attribute. This is a possible XSS security issue. Try using the more restrictive {SIMPLETEXT} or {INTTEXT} types instead. Only proceed if you understand the risks involved and you consider the use of {TEXT} absolutely unavoidable.
Thats not anything to worry about is it ?

User avatar
BLaHiTiS
lord of the roads
lord of the roads
Posts: 3331
Joined: 12 Aug 2005 15:46
Owned TM-games: tmu tmo tms tmn
Manialink(s): muxitis
Location: Hasselt, Limburg, Belgium
Contact:

Re: Forum BBCodes

Post by BLaHiTiS » 18 Aug 2010 22:25

you could try INTTEXT , provided that it doesn't filter any tokens, and that's just the thing what made me use text , otherwise I'll have to search myself for a better solution.
Image

  • MB:Asus P8 H61
  • CPU:Intel i5 2400
  • RAM:8 Gb
  • GFX:Asus GTX-580 (1500mb DDR5) - Forceware 75.33
  • DirectX: June 2011
  • SND:Realtek HD on mobo
  • OS:Windows 7 SP1- Home Premium
[/size]

User avatar
Ant
TM-Patrol
TM-Patrol
Posts: 1845
Joined: 01 Dec 2007 17:04
Owned TM-games: TMN, TMUF, TM Wii
Location: London, England
Contact:

Re: Forum BBCodes

Post by Ant » 18 Aug 2010 22:42

EDIT: Better usage and HTML replacements are in this post
BLaHiTiS wrote:you could try INTTEXT , provided that it doesn't filter any tokens, and that's just the thing what made me use text , otherwise I'll have to search myself for a better solution.
Well as I said above, someone from the phpBB Forum gave me this that works as well.
http://www.phpbb.com/community/viewtopi ... #p12845063
ric323 wrote:Try this:

BBCode usage

Code: Select all

[score]{SIMPLETEXT1}:{SIMPLETEXT2}:{SIMPLETEXT3}:{SIMPLETEXT4}[/score]
HTML replacement

Code: Select all

<a href="tmtp://#score={SIMPLETEXT1}:{SIMPLETEXT2}:{SIMPLETEXT3}:{SIMPLETEXT4}">{SIMPLETEXT1}:{SIMPLETEXT2}:{SIMPLETEXT3}:{SIMPLETEXT4}</a>
Help line (fix whatever the 4th parameter should be called)

Code: Select all

[score]Nickname:Challenge:Time:???[/score]
Example usage

Code: Select all

[score]tidhart:B12-Race:45350:A909ED5D[/score]
You get no warnings like that, but a user will have to copy their link into the tags and delete the tmtp://#score= part before they post. By the way, what is the name of the 4th parameter ?

EDIT: After a long time with no reply about the name of the 4th parameter, I simply decided to call it "hash" (at least on my forum anyway)

Now the helpline should read:

Code: Select all

Score challenge: Place the tmtp://#score=nick:challenge:time:hash between these tags
Last edited by Ant on 31 Mar 2011 22:34, edited 2 times in total.

User avatar
Ant
TM-Patrol
TM-Patrol
Posts: 1845
Joined: 01 Dec 2007 17:04
Owned TM-games: TMN, TMUF, TM Wii
Location: London, England
Contact:

Re: Forum BBCodes

Post by Ant » 18 Aug 2010 23:12

BLaHiTiS, ric323 from the phpBB Forum has shown me this way that works perfectly:
http://www.phpbb.com/community/viewtopi ... #p12845590

BBCode usage:

Code: Select all

[score]tmtp://#score={SIMPLETEXT1}:{SIMPLETEXT2}:{SIMPLETEXT3}:{SIMPLETEXT4}[/score]
HTML replacement:

Code: Select all

<a href="tmtp://#score={SIMPLETEXT1}:{SIMPLETEXT2}:{SIMPLETEXT3}:{SIMPLETEXT4}">{SIMPLETEXT1}:{SIMPLETEXT2}:{SIMPLETEXT3}:{SIMPLETEXT4}</a>
Help line: (Fixed 4th parameter name now)

Code: Select all

Score challenge: Place the tmtp://#score=nick:challenge:time:hash between these tags
and the example usage would be this:

Code: Select all

[score]tmtp://#score=tidhart:B12-Race:45350:A909ED5D[/score]
It will still work how it does now on this forum, but you no longer have the warning and a possible XSS security hole on the board. :thumbsup:
Last edited by Ant on 31 Mar 2011 22:23, edited 2 times in total.

User avatar
svens
speedy pilot
speedy pilot
Posts: 304
Joined: 05 Dec 2009 23:30
Owned TM-games: TMUF, TMS, TMO
Location: Bern, CH
Contact:

Re: Forum BBCodes

Post by svens » 18 Aug 2010 23:39

Ant wrote:It will still work how it does now on this forum, but you no longer have the warning and a possible XSS security hole on the board. :thumbsup
PhpBB ist not very famous for security, but the devs don't miss that obvious problems ;) (yep, I tried it, someone correct me if he succeeds)

User avatar
Ant
TM-Patrol
TM-Patrol
Posts: 1845
Joined: 01 Dec 2007 17:04
Owned TM-games: TMN, TMUF, TM Wii
Location: London, England
Contact:

Re: Forum BBCodes

Post by Ant » 19 Aug 2010 00:02

svens wrote: PhpBB ist not very famous for security, but the devs don't miss that obvious problems ;) (yep, I tried it, someone correct me if he succeeds)
Forgive me for not understanding you correctly, but what did you try ?

User avatar
svens
speedy pilot
speedy pilot
Posts: 304
Joined: 05 Dec 2009 23:30
Owned TM-games: TMUF, TMS, TMO
Location: Bern, CH
Contact:

Re: Forum BBCodes

Post by svens » 19 Aug 2010 14:25

Ant wrote:a possible XSS security hole on the board. :thumbsup:
There's no XSS hole introduced by the score tag. Or what was it that you wanted to say? :)

User avatar
Ant
TM-Patrol
TM-Patrol
Posts: 1845
Joined: 01 Dec 2007 17:04
Owned TM-games: TMN, TMUF, TM Wii
Location: London, England
Contact:

Re: Forum BBCodes

Post by Ant » 19 Aug 2010 17:06

well when I asked about it on the phpBB Forum, this is what I got told:
Yes, that most definitely IS a problem, which is why I didn't do it that way.
Don't do it the way that person advised, that is opening up a security risk on your board.
As the message advises, you should NEVER place a "TEXT" token INSIDE an HTML tag in your "HTML replacement" box.

Post Reply