I know the perils of allowing HTML in posts, but we' ve done it for a couple of years without any major consequences and our users now expect it. I know I can modify the code to allow it but thought it should be a standard option within the forum configuration area of the admin panel, as it is in many other board applications.

Thanks!

Gene

UPDATE = >

Please see this post: http://www.aspplayground.net/forum/fb.asp?m=373577

ASPPlayground.net Developer

I understand the security concern regarding Javascript but this is easily taken care of using search/replace functions. For example, we had situations where people were using what I called " script images" for various " countdown timers" and these were calling CGI scripts on other servers which were causing pop-up ads to appear when people visited pages on our boards that had one of these script images embedded. So we simply parsed all script images and replaced them with a standard graphic:



I also parsed out any Javascript or VBScript, as well.

So while allowing any and all HTML is a security risk, if you parse it to remove any potentially harmful scripts first, it' s not a problem.

The only real hazard is when someone doesn' t use table tags appropriately, as this messes up the layout of the page, but that' s easily remedied by the moderators (" DELETE" ) .

Okay, I' ve been dinking around with your code (and teaching myself Javascript and RegEx' s in the process ) and see why enabling HTML can be difficult on this forum. I' ve done it, but I' m not totally satisfied, as I' m replacing all incidences of double-quotes in the " body" variable with single-quotes prior to passing it to pgdCode in m.asp and tm.asp.

Couple of questions:

1) Where exactly do you replace the double-quotes with the " phrase?

2) Why do quotes get replaced with quotes-plus-spaces? I have programmed around it, but am curious as to why you do this (I think it' s in SQLIn and SQLOut).

3) Where are you replacing the vbcrlf with a <br>? This is happening in some of my own internal table code within a post (for the countdown timers) except that it' s happening on a <tr> line and I would like to prevent this.

BTW, I' ve come to the conclusion that this forum has the best design I' ve ever seen -- it is absolutely the least server intensive app while maintaining one of the most robust feature sets of all the ASP solutions around. When you have Javascript parsing all the UBB/PGDCode, you *obviously* know what you' re doing. You' ve done a hell of a job, Samuel!

Thanks for any help/insight you can provide,

Gene

" Beer is proof that God loves man" -- Ben Franklin

Thanks Gene for your comment!

I am not sure if you will be able to read this message (server will be down) so I will answer you as quickly as possible:

1) Where exactly do you replace the double-quotes with the " phrase?

It is in SQLout function.

2) Why do quotes get replaced with quotes-plus-spaces?

It is for search. See, without full-text indexing capability, you won' t be able to search words that are surrounded by " " . Like you can' t search the word " ALOHA" (with quote). So I decided to add a space after each double quote and single quote and have my code to perform search on space(1)+searched term. This is how we do search when you choose single byte character in the search interface.

This is a very sophisticated way to prevent unwanted result. Like you don' t want to see readable when you just want to search able, but what about " able" (with quote) ?

The same applies to vbcrlf. You can try searching the word able and you will know what I mean.

3) Where are you replacing the vbcrlf with a <br>?

It is in m_process.asp

Again, thank you for your comment. I have tried my best to use browser' s JS capability to reduce server loads. We can actually use RegEXP with VBScript, but it is way way way too slow than JScript. And since today' s PC has a lot more CPU power than before, why not use it? (my home PC has 2.2GHz CPU => a lot more powerful than my current server)

ASPPlayground.net Developer