Skip to main content
I realized today that some applications out there still use #BBCode for non-legacy reasons. I really have no idea why anybody would do that in year 2020. It’s a very questionable decision security-wise, and it has no usability benefits either. #infosec #security #XSS
#security #infosec #BBCode #XSS
Hypolite Petovan
Hypolite Petovan  
Would you earnestly like to know a reason why #Friendica still uses BBCodes?
#friendica
Yellow Flag
Yellow Flag  
If you can provide the insight – sure.
Hypolite Petovan
Hypolite Petovan  
I'm on the core #Friendica development team so I believe I can provide the insight: We offer a few custom BBCode tags related to the fact that Friendica supports multiple protocols that we would have to port to whatever other markup language we would choose.

For applications that only require basic formatting, Markdown is hands down the better candidate for the job, but I have no experience adding custom markup for Markdown so I have no idea what it would entail for us.

Security-wise, we're looking into using an HTML sanitization library so that we can precisely control what's being produced because we've had a recent report about an XSS vulnerabilty so I'm with you on that front.
#friendica
Yellow Flag
Yellow Flag  
Ehm, I know, I created that report. Now guess what the context of this thread is. 😉

So it’s all about custom markup? Out of the top of my head, a generic solution with Markdown would be adding some custom HTML tags. These can be processed independently of the Markdown processor, either before or after the processor runs (security-wise the former is preferable but might not be flexible enough).
Hypolite Petovan
Hypolite Petovan  
Ha, I didn't make the connection between your GitHub account and this Mastodon one.

It is about custom markup but it also is about legacy reasons (but your original post was not about them). The Friendica project was started in 2010 by someone who didn't care about the right way to program and cared more about privacy than security or usability. So we have been constantly wrestling with legacy code and behaviors which has somewhat hampered our efforts to improve the software.

Thank you for the suggestion, we also have been looking into using a BBCode lexer to improve both the security and allow tag nesting but we've ran into specific compatibility issues that the upstream library reportedly fixed, but I haven't taken the time to go back to it.
Beko Pharm (deprecated)
Beko Pharm (deprecated)  
I wonder why (the connection). @WPalant is doing this exemplary well by listing profiles on the personal website to tell profile equivalence 🤓
@Yellow Flag
Hypolite Petovan
Hypolite Petovan  
Because this is how the post looks on my Friendica instance:

Notice the different display name and profile picture than both his current on Mastodon and on GitHub.
Beko Pharm (deprecated)
Beko Pharm (deprecated)  
I see space for improvement on this.
Hypolite Petovan
Hypolite Petovan  
There's nothing technical that can be improved about this. He decided to have two separate Mastodon accounts with different display names/profile pictures, I decided not to consult his Mastodon profile before replying to him.

Additionally, missing the connection was inconsequential because I would have replied the same to him whether I knew he posted the GitHub issue or not as we didn't go into the why on the issue.
Yellow Flag
Yellow Flag  
It was simply funny because I was certain that you looked up my Mastodon account coming from that issue I created. It never occurred to me that you stumbled upon this thread simply because somebody unrelated mentioned Friendica using BBCode. @bekopharm
@Beko Pharm (deprecated)
Hypolite Petovan
Hypolite Petovan  
This post of yours was brought to my attention because I follow @lostinlight. The coincidence is funny indeed!
@lostinlight
This entry was edited (4 years ago)