BBCode Anchor and Goto tags...

Have something to say about forums.debian.net itself?

BBCode Anchor and Goto tags...

Postby mdevour » 2009-12-09 11:39

I installed phpBB 3 on my machine this evening and spent some hours adding and testing custom [Anchor] and [Goto] tags, just to see what was involved with the configuration and whether there were any obvious flaws with the idea. I managed to clean up the instructions and eliminate a couple of problems with the versions suggested in this post:

http://www.phpbb.com/community/viewtopic.php?f=72&t=1218005

Enter the admin CP, click the Posting tab, then Add a new BBCode.

Under BBCode usage:
Code: Select all
[anchor={IDENTIFIER}]{TEXT}[/anchor]

HTML replacement:
Code: Select all
<a name="{IDENTIFIER}" href="#{IDENTIFIER}">{TEXT}</a>

Help line (optional):
Code: Select all
Anchor: [anchor=anchor_name]any text[/anchor]

Click the 'Display on posting page' check box if you want to put an [anchor=] button on the post editor page. (I probably wouldn't.)

Then click submit.

Repeat these steps for the goto tag:
BBCode usage:
Code: Select all
[goto={IDENTIFIER}]{TEXT}[/goto]

HTML replacement:
Code: Select all
<a href="#{IDENTIFIER}">{TEXT}</a>

Help line (optional):
Code: Select all
Goto: [goto=anchor_name]Link Text[/goto]

The Goto tag will jump to an anchor anywhere in the post. If it cannot find the named anchor it fails cleanly by doing nothing.

The Anchor tag creates the named anchor with (optional) visible text acting as a self-referencing link. It generates a fully qualified URL pointing to that anchor, which can be linked to from other threads or even other sites.

In both cases, using the IDENTIFIER token should prevent anyone from entering something more complicated than a simple name; e.g., an external URL or random HTML tag. Nothing I tried to put in there succeeded in doing anything but cleanly breaking the BBCode tag.

If you quote or edit a post containing these tags they are copied into the editing window intact. When you preview or post the quoted content, the links still work. If an anchor is duplicated elsewhere in the post or the thread, quoted or not, a goto will default to the first occurrence of the anchor on that page of the thread. Certainly you can screw up the organization of your own post if you work at it, but it doesn't break the forum software.

The result is we can create the following kind of post, where the blue text items are live links that do what you'd expect them to:

Lorem ipsum dolor...
by mdevour on Wed Dec 09, 2009 7:18 am

Introductory text goes here... Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut id orci magna. Nulla facilisi. Integer aliquet ligula vel lacus viverra ullamcorper. Etiam venenatis, ante ac imperdiet condimentum, mauris mauris ultrices dui, nec facilisis magna odio eu quam.

Contents

    Section 1
    Section 2
    Section 3

Heading for section 1...


Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut id orci magna. Nulla facilisi. Integer aliquet ligula vel lacus viverra ullamcorper. Etiam venenatis, ante ac imperdiet condimentum, mauris mauris ultrices dui, nec facilisis magna odio eu quam. Duis accumsan commodo mauris id varius. In quis ipsum felis. In hac habitasse platea dictumst. Etiam vel mattis sapien.

Return to Contents

Heading for section 2...


Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut id orci magna. Nulla facilisi. Integer aliquet ligula vel lacus viverra ullamcorper. Etiam venenatis, ante ac imperdiet condimentum, mauris mauris ultrices dui, nec facilisis magna odio eu quam. Duis accumsan commodo mauris id varius. In quis ipsum felis. In hac habitasse platea dictumst. Etiam vel mattis sapien.

Return to Contents

Heading for section 3...


Etcetera...


The BBCode would look like this:
Code: Select all
Introductory text goes here... Lorem ipsum ... etcetera ...

[size=150][b][anchor=tocanchor]Contents[/anchor][/b][/size]
[list]
[goto=testanchor1]Section 1[/goto]
[goto=testanchor2]Section 2[/goto]
[goto=testanchor3]Section 3[/goto]
[/list]

[size=150][b][anchor=testanchor1]Heading for section 1...[/anchor][/b][/size]

Lorem ipsum ... etcetera ...

[size=85][goto=tocanchor]Return to Contents[/goto][/size]

[size=150][b][anchor=testanchor2]Heading for section 2...[/anchor][/b][/size]

Lorem ipsum ... etcetera ...

[size=85][goto=tocanchor]Return to Contents[/goto][/size]

[size=150][b][anchor=testanchor3]Heading for section 3[/anchor][/b][/size]

Etcetera...

Yes, we could just contribute such content to the Debian Wiki instead, or strew the sections across multiple posts in a forum thread. The addition of this feature, though, will enable us to create a new kind of content on this site which is very attractive and highly functional, as can be seen on the phpBB support forum, for example:

http://www.phpbb.com/community/viewtopic.php?f=74&t=926045
http://www.phpbb.com/community/viewtopic.php?f=46&t=579376

I ask the admin team to seriously consider setting this up. I think I've streamlined the instructions and bullet-proofed things to where it should be quick to implement and safe for the forum. We've discussed it some already in a previous thread and by PM, but I wanted to eliminate whatever obstacles I could and make one last attempt. I'll abide by your decision, but I would appreciate knowing the nature of your concerns should you choose not to go with it. Post or PM me as you prefer.

Thank you very much.

Mike D.
mdevour
 
Posts: 342
Joined: 2006-03-05 17:55

Re: BBCode Anchor and Goto tags...

Postby Mez » 2009-12-12 16:17

Mike,

I've recieved your messages. I am unable to make a decision lightheartedly here. Looking at the proposed, I see that there are some potential security issues that might arise from this.

Please be patient with me, I am currently swamped at my day job, and therefore do not have the time to review the internals of phpBB to see whether this will pose a security risk, and/or whether this will require changes to the code base.
User avatar
Mez
Debian Developer, Forum Ninja
Debian Developer, Forum Ninja
 
Posts: 225
Joined: 2009-04-23 22:04

Re: BBCode Anchor and Goto tags...

Postby mdevour » 2009-12-12 18:37

Mez wrote:Mike,

I've recieved your messages. I am unable to make a decision lightheartedly here. Looking at the proposed, I see that there are some potential security issues that might arise from this.

Please be patient with me, I am currently swamped at my day job, and therefore do not have the time to review the internals of phpBB to see whether this will pose a security risk, and/or whether this will require changes to the code base.

I understand perfectly, Mez, and I appreciate your acknowledgment.

IF they can be used as straight custom BBCodes, no changes to the program code should be required. We would just be exercising an existing feature. As you say, there might be some un-obvious vulnerabilities that might have to be coded around or would disallow the whole thing.

I will register with the phpBB forums and ask if anyone there can foresee a problem, just for some additional input while you're digging yourself out. :)

Peace,

Mike D.
mdevour
 
Posts: 342
Joined: 2006-03-05 17:55

Re: BBCode Anchor and Goto tags...

Postby Mez » 2009-12-13 05:18

mdevour wrote:I will register with the phpBB forums and ask if anyone there can foresee a problem, just for some additional input while you're digging yourself out. :)


[anchor=" href="javascript:alert(document.cookie)"><br ]

springs to mind off of the top of my head, it's that kind of thing that I'd have to be careful about.
User avatar
Mez
Debian Developer, Forum Ninja
Debian Developer, Forum Ninja
 
Posts: 225
Joined: 2009-04-23 22:04

Re: BBCode Anchor and Goto tags...

Postby mdevour » 2009-12-13 10:39

Mez wrote:[anchor=" href="javascript:alert(document.cookie)"><br ]

springs to mind off of the top of my head, it's that kind of thing that I'd have to be careful about.

Right. That's the kind of shenanigans I don't know enough about to be properly afraid of.

If you enter the ACP, click the Posting tab, then the Add a New BBCode button, at the bottom of that screen is info on the kinds of tokens that can be used in the code definition.

If you use the {IDENTIFIER} token, as I did, it limits the characters you can include in the href= and name= arguments to: "Characters from the latin alphabet (A-Z), numbers, hyphen and underscore." It's the most restrictive of the parsers except the one that allows only numbers.

The colon, parentheses, period, >, <, and = in your example should each be enough to "break" the tag. So the question becomes, what damage, if any, can be done without the use of any punctuation but '-' and '_'?

I've posted at the phpBB forum. If nobody there can see a problem it doesn't prove that there isn't one, but if they do, it can give us more to consider.

Thanks,

Mike D.
mdevour
 
Posts: 342
Joined: 2006-03-05 17:55

Re: BBCode Anchor and Goto tags...

Postby mdevour » 2009-12-14 09:11

mdevour wrote:I've posted at the phpBB forum. If nobody there can see a problem it doesn't prove that there isn't one, but if they do, it can give us more to consider.

Mez,

When you get the chance to look into this further, I've gotten some good input from a member of the mod team over at the phpBB forum. He's given me a small tweak to the configs that eliminates the potential for some minor shenanigans, and is otherwise confident that the new codes should be safe. The thread is:

http://www.phpbb.com/community/viewtopic.php?f=46&t=1898025&p

I've tested the changes on my local forum. The modified configurations are these:

Anchor Tag:
Code: Select all
BBCode usage: [anchor={IDENTIFIER}]{TEXT}[/anchor]
HTML replacement: <a name="at_{IDENTIFIER}" href="#at_{IDENTIFIER}">{TEXT}</a>
Help line: Anchor: [anchor=anchor_name]any text[/anchor]

Goto Tag:
Code: Select all
BBCode usage: [goto={IDENTIFIER}]{TEXT}[/goto]
HTML replacement: <a href="#at_{IDENTIFIER}">{TEXT}</a>
Help line: Goto: [goto=anchor_name]any text[/goto]

I've added the characters 'at_' before each occurrence of the {IDENTIFIER} token in the name= and href= arguments. These are just a few randomly chosen characters; they could be anything legal for that place in the HTML.

The thing this prevents is some wiseacre spoofing the anchors on the thread display pages by making the name= argument look like 'p123456' and causing the URL to duplicate one for another post in the thread. Instead it forces the HTML to be name="at_p123456" etc.,. which won't confuse phpBB at all.

I was fairly impressed. It is a subtle point. 8)

If you have any questions or want to delegate more research to me, let me know.

Thanks,

Mike D.
mdevour
 
Posts: 342
Joined: 2006-03-05 17:55


Return to Forum stuff & feedback

Who is online

Users browsing this forum: No registered users and 4 guests

fashionable