Hello Greg, Friday, July 8, 2005, 5:00:23 PM, you wrote: GD> On 7/8/05, Ryan A <ryan@xxxxxxxxxxxx> wrote: >> Yep, but this has no way of breaking my html.... GD> If [/i] is missing, it'd be the same as </i> being missing. I have to say I disagree, because with all modern BBcode parsers it would never get to that stage. If the user misses out the closing [/i] tag then when it comes to parse the BBcode into HTML it'd never happen. All decent BBcode parsers search for both pairs of tag. If an opening [i] is found but no corresponding close tag, both would be ignored and skip onto the next check. I haven't seen one that did a straight str_replace for a long time now (although I guess they still exist! and in those cases I agree with you, they are pointless and utterly insecure). If you allow direct HTML as user input, you HAVE to check and validate every single aspect of their HTML for all possible errors, typos, included XSS attacks, etc - and if you fail in even one of these checks, they can break the layout of your site, or worse. Whereas with BBcode the worst that can happen (in this instance) is that the user looks like an idiot because [i] tags are left in their input. Another benefit IMHO is that you control what [i] gets turned into, for example I don't use <i> tags in my HTML as I don't believe they are semantically descriptive. But not everyone will know what the heck an <em> does, just as with [b] to <strong>, etc. The second you allow <&> for direct use you do open, imho, a whole can of worms that you'd better be absolutely sure you have faultlessly checked and double-checked, because as you know there's no room for error these days. Best regards, Richard Davey -- http://www.launchcode.co.uk - PHP Development Services "I do not fear computers. I fear the lack of them." - Isaac Asimov -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
