/html

[Silverthorn]

Did you consider a normal string-manipulation approach? That might be simpler to get right than getting regular expressions to work.

I think maybe writing a plugin (php) for tables bbcode might work. But I haven't had the time to take a look at how MyBB plugins work exactly, I'd like to hear BP's opinion on this.

Writing plugins is no issue, really. In fact, since the last major upgrade, I shifted almost all edits to a self-written plugin where feasible. Some edits, though, dig so deep into the core-files that it's not possible to reproduce it in a plugin-like manner.

Thing is that the post-parser is one of the slowest elements of the whole forums. In other words, it contributes mostly to the server load. Adding any additional elements to the parser would slow the speed down even further. In the concrete example of tables, there are two routes one could travel:

1) (bad) Use an HTML validator at the end of the parsing process. If it finds that the (parsed) post contains invalid elements, the post will be displayed as blank. I think this also how badly formed quotes are handled right now.
2) (good) Write an actual parser-enhancement that will attempt to fix badly formed html (hard). Rogue tr or td tags would be padded in additionally created tables.

Either way, this is so prone to errors that I'm afraid of ever tackling it. The more features of an html-table one tries to reproduce, the harder it gets (especially in the context of nested tables).

I honestly didn't think too much of string-manips because everything else in the post-parser works with regex but I am fairly certain that former is not going to be too much easier to handle, really. The greatest problem is that parsing tables itself is already challenging, but how is it going to handle broken code?

Edit: What are some examples that may cause a problem in the layout

Causing problems in the layout is very easy, example would be using < td> or < tr> outside a < table>, the results would look like this:

[tr][td]some text[/td][/tr]: http://s6.postimg.org/cl5u9r8rl/tr_td.png
[td]some text[/td]: http://s6.postimg.org/e1hcrwboh/image.png

This is actually possible to do at HFE right now, but I don't expect people to do it of course.

I also expected people not to use badly-formed code in their posts/signatures

@MangaD gave you a few, I just cannot find the thread where somebody (I think it was @Bamboori) slapped a whole bunch of html-code into a post and it completely messed up the theme. Must've been him, because there weren't that many people who used the eyecancer-green theme

Should've really compiled a list of that, I'm now just referring to my memory :/

or become a security exploit?

The classic would be phishing. Add an iframe, scale it so that it fits the entire browser's window, and pretend to do something LFE-related whereas asking for sensitive data. Off the top of my head, there are quite a few ways to implement that, so there are at least 5x more. The chances that anybody falls for that are low but not zero which is inacceptable to me.

Second is providing semi-broken code. Stuff that will generally not work unless a specific context is provided. Something like

this (Click to View)

There are so many ways to break things intentionally or unintentionally that it is really hard to cope for all of them.



edit: curses! Ninja'd once again!

Did Flash get doomed as well?

Yes. Embedding objects is per se dangerous from a security's standpoint, especially if flash/java are enabled in your browser.