The process function used for sanitizing input does not process " and therefore in some cases (especially with custom tags) cause possibly XSS vulnerabilities.
For example, if I created a tag that began with <img src="/myimage.png" title=" and then ended with " />, the user could input " onerror="alert('malicious javascript')" href=" and execute malicious JS.
This does not seem to affect any of the default tags provided with XBBCode-Parser, but it's a huge security hole that's not obvious to people creating their own tags.
I suggest that " be escaped to "", along with 'being escaped to'(in case the developer used'instead of"`).

Thanks

It would be great to have this bbcode parser on npm.

I found this fork at https://github.com//epochtalk/bbcode-parser but it would be good to have the original one available there.

I want to disable some tags such as img, font, code and others.

How can I do this?

Best javascript lib for BB code!

However, I need to use tags around multiple bullet tags. Like this:

[list][color=#FF0000][*]item1[*]item2[/color][/list]

I removed some of the allowed parents/children stuff but I have a problem with the fixStarTag function.

After that one is run I get:

[list][color=#FF0000][*]item1[/*][*]item2[/color][/*][/list]

As you can see the end tag of color is included inside the second [* ] tag.
I suppose one need to add so that the content inside the [* ][/* ] tag must not contain any end tags without matching start tags.

I'm not sure how to fix this and would appreciate some help.

Hi,
I want to post text and image(s) in same post. Even if I enter it in different lines, final markup gets them in same line. Can we fix this issue?

Right now If i give it this BBCode

[quote]
[/b]Testing
[/quote]

It won't parse at all, because of the misaligned tags. But since this is a fairly benign user error, is there a way to have the script ignore the errors and atleast still parse the quote bbcode?

Thanks for the amazing script otherwise!

Tags like [br] or [hr] or even ones that have attributes like [tag=value] or [tag=value attribute=value]. Are these not supported?

To help users debug their BBCode markup and to generally enhance the level of error feedback, I've been validating the params and content in the openTag function of my tag specifications.

Here's an example of what I've got working:

Did you ever put any thought into this kind of feature?

I haven't studied your code too much yet, so until I figure out how it works, I threw some global state at the problem and wrote some regretful code: https://gist.github.com/danneu/f5b8b58b87b828b708bb

Obviously that's nasty and this certainly isn't a solution proposal, but it's an example of the kind of validation that would be nice to do.

As for a real solution that might be trivial, one idea off the top of my head would be to be to support an optional property on tag specs:

openTag: ...,
closeTag: ...,
// Returns String (err message) upon validation failure, else returns falsey
errorCheck: function(params, content) {
  if (!params) return 'Missing color parameter';
}

Any ideas? Either way, I'll see what kind of abstraction I end up with once I start refactoring my mess.

Also, I know this is an old project of yours, and it's possible that BBCode and this repo aren't at the forefront of your mind these days like it was back when you wrote it.

Alas, there is no support for the huge number of important markup tags used on rutracker.org. Yes, the site has not been updated for a very long time, but in its current state wysibb looks more attractive, although it is still the same most neutered visual editor.

I spent 2 hours digging through the whole github in search of a full-fledged visual BBCode editor and I still haven't found anything better than wysibb. From this I conclude that the language is simply dead.

    "th": {
        openTag: function(params,content) {
            return '<td>';
        },
        closeTag: function(params,content) {
            return '</td>';
        },
        restrictParentsTo: ["tr"]
    },

->

    "th": {
        openTag: function(params,content) {
            return '<th>';
        },
        closeTag: function(params,content) {
            return '</th>';
        },
        restrictParentsTo: ["tr"]
    },

On your website, this:

You can download the JavaScript module for this here.

links to a .zip that's far behind master.

For example, I didn't stumble upon this repo until I was ready to host my patched version of your .zip file on Github. But now I see that my patches have mostly been taken care of.

Anyways, thanks for sharing your effort. It works well and has saved me a lot of time.

Hi,

I'm including a version of this project in my code after doing an npm install, and I'm getting the following error: Uncaught ReferenceError: module is not defined at xbbcode.js:797

The code block in question is:

// for node
if (module) {
    module.exports = XBBCODE;
}

I presume this is because I'm not using this as part of a node project.

Any help on this matter would be greatly appreciated, thanks!

[email protected] seems to get HTML tags wrong.

Taking <h1>Hello World!</h1> as input, it produces &lt&#59;h1&gt&#59;Hello World!&lt&#59;/h1&gt&#59;.

I had expected <h1>Hello World!</h1>

Reproduction:

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <link rel="stylesheet" type="text/css" href="xbbcode.css">
    <title>Example</title>
</head>
<body>
<script src="xbbcode.js"></script>
<script>
    var result = XBBCODE.process({
        text: "<h1>Hello World!</h1>",
    });
    console.error("Errors", result.error);
    console.dir(result.errorQueue);
    console.log(result.html);
</script>
</body>
</html>

Hello, hoping im missing something simple here as this library is exactly what I was looking for.

So I have a "contentedable=true" div. This is a somewhat of a wysiwyg editor. When I want to preview, I cant just send text..as they have added various html tags. SO i pass it the html.. however it looks like this returns the html < > as encoded. Is there by chance an undocumented flag to have it not do this?

To give an exmaple: if I pass

temp = XBBCODE.process({ text: "<p>[b]hello im bold[/b]</p>", });

I get returned
"&lt;p&gt;<span class="xbbcode-b">hello im bold</span>&lt;/p&gt;"

I would expect to get returned
"<p><span class="xbbcode-b">hello im bold</span></p>"

on further reading, i see that it may be by design to prevent XSS, but as this is not an issue in this use case, a flag would be fantastic
{work around is of course to regex back all the <'s and such from their decoded forms, which is what im doing to hold me over}

I'm trying to use the url tag and I see the code for it, but I can't get it to work. I was unable to find an example of how to use it in the included example. I've tried some different formats, but they aren't working.
Example: [url]http://www.site.com[/url] outputs the tags and all.

Is it possible to make this work in both ways?

BBCode -> HTML
HTML -> BBCode

For some reason when html tags are included in the string it doesn't seem to work properly.

For example if you had a string like "

The log is [color=brown][b] dirty[/b][/color]

it doesnt seem to parse the tags right but the bbcode will go through, or the tags will parse correctly with html() but the bbcode is changed to something weird..