AUBBC
view release on metacpan or search on metacpan
There are some uncontrollable security issues with allowing images [img] and link [url] auto-link tags,
you can disable [img] tags by setting "no_img => 1," to 1 as shown.
Security issues with the [url] and auto-link tags is not as bad since you have to click it to
get to the risky web site, unlike an image loading.
=head2 FYI
XHTML has better JavaScript security standards then HTML.
Developers can also use cookies with "httponly" flags to disable JavaScript from
reading that cookie, but the browsers must support it.
XSS, browser hijacking and other security risks can change by settings, browser vendors and program versions.
=head1 Tag Security Access
New to v4.05. Assign security levels for links, images, build and code tags.
Default settings allows all tags to be seen so there would be no changes needed
if you just wanted the latest version and not use this method yet.
This method works with your current authentication and will be explained more later.
Note: The smilies is not controled by this security.
=head2 User Security Levels
Default security levels are from low to high!!!
# The array numbers >>: 0 1 2 3
$aubbc->security_levels('Guest', 'User', 'Moderator','Administrator')
1) The security levels array needs to have the security levels from low to high in it!!
2) The names must be spelled the same as the name passed to method user_level();
3) Security access is determined by low to high numbers and with the default Guest
will be number/level 0 in the array. if the links was set for User
the links level will have to be 1 = User making any lower level unable to
see any bbcode links but, the Administrator would still see all.
=head2 Tag Security Levels
To change the security level of links, images and code use this method this way:
$aubbc->tag_security(
code => { level => 0, text => 'register to see this', },
img => { level => 0, text => 'register to see this', },
url => { level => 0, text => 'register to see this', },
);
level - the array number of the security level
text - the text or HTML to show if user has no access
Build your own tags has 2 new variables now:
$aubbc->add_build_tag(
name => 'ok',
pattern => 'l,s',
type => 1,
function => 'My_Message::check_ok_tag',
level => 3,
error => 'register to see this',
);
level - the array number of the security level
error - the text or HTML to show if user has no access
For the build tags leaving the variables blank will default level to 0 and
error to the $AUBBC::BAD_MESSAGE string.
=head2 User Access
This method receives the current users security level name from the web application.
$aubbc->user_level('Administrator');
If you are using the tag security you will want to set the user_level after the user
was authenticated by the web application and before do_all_ubbc is used.
=head1 Settings
These settings effect a large part of what the do_all_ubbc method can do and what other
methods can do in do_all_ubbc. some settings are used in many methods
=head2 $aubbc->settings();
This is the method to change them when needed.
$aubbc->settings(
aubbc => 1,
utf => 1,
smileys => 1,
highlight => 1,
# est.....
);
=head2 aubbc
Enable or Disable Main AUBBC Tags Default 1 is Enabled, 0 is Disable.
=head2 utf
Enable or Disable UTF Tags Default 1 is Enabled, 0 is Disable.
=head2 smileys
Enable or Disable Smiley Tags Default 1 is Enabled, 0 is Disable.
=head2 highlight
Enable or Disable Code Highlight Default 1 is Enabled, 0 is Disable.
=head2 highlight_function
This can replace the highlighter of AUBBC with a custome one
must provide the text name of the pre-defined subroutine that receives the code
tags text and returns the highlighted text.
=head2 no_bypass
Enable or Disable User Tags for bypassing hole tag sets Default 0 is Disable, 1 is Enabled.
Bypass tag must be at the very beginning of the message!!!!
Must also be in the order of the "Bypass Tag list:" but not on a new line \n
and if #none is used the other bypass tags will not be removed.
Bypass Tag list:
#none
highlight_class7 = Variables
highlight_class8 = defining subroutine
highlight_class9 = using subroutine
=head1 Smilies Settings
These are the settings for using custom smilies.
Note: There are no Built-in smilies.
=head2 $aubbc->smiley_hash();
This is how you import your custom smilies hash.
example:
use AUBBC;
my $aubbc = AUBBC->new();
my %smiley = (lol => 'lol.gif');
$aubbc->smiley_hash(%smiley);
The way you use this smiley is [lol]
Must have the images_url set to the proper location.
images_url/smilies/lol.gif
=head1 Build your own tags
These are the settings and methods for using custom tags.
=head2 $aubbc->add_build_tag(name=>'stuff', pattern=>'stuff' , type=>'stuff', function=>'stuff',...);
name - will be the tags name and is limited to a-z 0-9 - _
pattern - limited to 'all' or 'l,n,-,:,_,s'
'all' = anything but [ or ]
'l' = 'a-z'
'n' = '0-9'
's' = ' '
'-' = '-'
':' = ':'
'_' = '_'
type - 1 is style [name://pattern], 2 is style [name]pattern[/name], 3 is style [name],
the next setting for type the function will not be used to run Perl subroutines and
will replace the text with what text is defined in the function setting, the setting is
type 4 this will use style [name] but will work different then the other built settings
see function below on how type 4 works
function - a pre-defined subroutine that receives the matched pattern, tag name and returns what you want,
unless type is set to 4 then it will replace the tag with what text is in the function.
Note: if the function returns undefined, '' or 0 the tag will not be changed.
level - the array number of the security level
error - the text or HTML to show if user has no access
Note: For the build tags leaving the variables blank will default level to 0 and
error to the $AUBBC::BAD_MESSAGE string.
Usage:
package My_Message;
use AUBBC;
my $aubbc = AUBBC->new();
$aubbc->add_build_tag(
name => 'ok',
pattern => 'l,s',
type => 1,
function => 'My_Message::check_ok_tag',
);
$aubbc->add_build_tag(
name => 'ip',
pattern => '',
type => 3,
function => 'My_Message::get_some_tag',
);
$aubbc->add_build_tag(
name => 'agent',
pattern => '',
type => 3,
function => 'My_Message::get_some_tag',
);
$aubbc->add_build_tag(
name => 'hello',
pattern => '',
type => 4,
function => 'Hello World!',
);
my $message = '[ok://test me] [ok://test other] [ok://n0 w00rk] [ip] [agent] [hello]';
$message = $aubbc->do_all_ubbc($message);
print $message;
sub check_ok_tag {
my ($tag_name, $text_from_AUBBC) = @_;
if ($text_from_AUBBC eq 'test me') {
return 'Works Good 1';
}
else {
return 'Works Good 2';
}
}
sub get_some_tag {
my ($tag_name, $text_from_AUBBC) = @_;
$tag_name = lc($tag_name);
$text_from_AUBBC = $ENV{'REMOTE_ADDR'} if ($tag_name eq 'ip');
$text_from_AUBBC = $aubbc->script_escape($ENV{'HTTP_USER_AGENT'}) if ($tag_name eq 'agent');
return $text_from_AUBBC;
}
1;
=head2 $aubbc->remove_build_tag($name, $option);
There are two ways to use this.
1) Remove a single built tag: $aubbc->remove_build_tag($name);
2) Remove all built tags: $aubbc->remove_build_tag('', 1);
=head1 Error Message
=head2 $AUBBC::BAD_MESSAGE
Default message is 'Unathorized', this message is used when the code finds bad characters in [email] or [img] tags.
Usage of this setting:
use AUBBC;
$AUBBC::BAD_MESSAGE = 'Unauthorized use of characters or pattern in this tag.';
# est...
=head2 $aubbc->aubbc_error();
There are two errors for add_build_tag that would die if the wrong input was given
when adding a build tag. The error message will now be stored in this method during
the instance and any new tag that had an error will not be processed.
Since there is only two errors for add_build_tag you can check this method after
all new tags have been added. All errors stack in this method and are seperaited
by a \n newline.
Usage:
$aubbc->aubbc_error('Insert Your Error'); # Add an error
print $aubbc->aubbc_error();
die $aubbc->aubbc_error() if $aubbc->aubbc_error();
=head1 Memoize
This setting can turn AUBBC's usage of Memoize on or off.
=head2 $AUBBC::MEMOIZE
Default setting 1 will check if it needs to load Memoize, if loaded then load the sub's that need the speed.
Setting 0 will not use Memoize.
Usage of this setting:
use Memoize;
# do other stuff...
use AUBBC;
# AUBBC will detect that Memoize was loaded
# and just load the sub's that need the speed.
my $aubbc = AUBBC->new();
# est...
=head1 Debug
The Debug setting will send a lot of messages to warn and is not recommended to leave on all the time.
=head2 $AUBBC::DEBUG_AUBBC
Default is '' off, and Enabled is 1.
Usage of this setting:
use AUBBC;
$AUBBC::DEBUG_AUBBC = 1;
# est...
=head1 Version
Returns the current version of the module.
=head2 $aubbc->version();
Usage:
use AUBBC;
my $aubbc = AUBBC->new();
my $Current_Version = $aubbc->version();
print $Current_Version;
=head1 Bugs and Reports
Please report anything you think is a bug to bug-AUBBC [at] rt.cpan.org or shakaflex [at] gmail.com
=head1 History
v4.06 - 04/12/2011
Fixed - The hash for tag_security() needed the images and link renamed to a tag
name being used. Changed the image name to img and the link to url. Read
"Tag Security Levels" for more info.
Fixed - security for links was in method make_link and was causing an access issue
if used outside of the module. Made a new method to check link access now the
make_link method could be used outside of the module without the security access
in it, as intended.
Changed - forgot to say in version 4.05 that I changed the aubbc_error so a new line
will be added after each inserted error.
v4.05 - 04/05/2011
Addition - Assign security levels for links, images, built and code tags.
New subroutine names: security_levels, user_level, tag_security, check_access
Changed - The default value for $AUBBC::BAD_MESSAGE is now 'Unathorized'
v4.04 - 02/05/2011
Fixed - Bug with quote tag, needed to convert all its tags.
v4.03 - 02/03/2011
Addition - New Object method aubbc_error . Developers can now controle if or when
to handle errors, see the POD 'Error Message' for usage.
Fixed - All built-in tags only convert balanced tags so no unbalanced HTML can
be produced
Fixed - Bug in code_highlight a highlight regex needed to be changed after
version 4.01 to support the Parser style.
Improvement - Small restructure of add_build_tag and change the 'all' setting
of 'pattern' to allow more.
v4.02 - 11/28/2010
Fixed - The element ID for the code download started at 1 for every instance this
will force the browser to take priority to load the first ID it reads. The fix
starts the counter at 'time.$$.000' to try to produce a more unique ID for each
instance.
Fixed - under the code tag in do_ubbc line " $do_f[8] = '' if $do_f[8]; "
should have been $do_f[9] = '' if $do_f[9];
v4.01 - 11/08/2010
Fixed - Bug that converts the true text typed to the HTML code name.
All parts of the module where effected by this bug, in the code tag if the
author ment & #59 ; it would show ; . This also caused a long standing bug with
typing any HTML code name and saving it to a backend.
this fix removes the HTML code name regex in do_unicode and had to add/move two
filters in "script_escape to conver the & to an amp and ; to #59;" and
"html_to_text to conver amp to & and #59 to ;". This fix also helped in allowing
the regex's for highlighting subroutines to be made.
Fixed - had to add a null byte marker to escape_aubbc so the code tag's
highlighter can detect the escaped character and change it back. In do_all_ubbc
All markers get removed before the message is returned because FireFox can see
the null bytes as an error.
Addition - Perl subroutine highlighting for the code tag highlighter. Had a
problem making this till this version because a HTML code name can look like
&TheName; and a Perl subroutine looked the same till ; got converted.
Addition - AUBBC::make_image($align,$src,$width,$height,$alt) this is useful enough
to mention once.
v4.00 - 11/02/2010
Addition - New feature to the code tags aubbc_setting code_download.
the default setting for code_download is '^Download above code^' this message will
be the links name. the link will open a JavaScript pop-up window and write the
code in it to be copied or printed to a printer. A new JavaScript function was
added to the js_print method called MyCodePrint. JavaScript makes this feature
portable and dynamic. the link for code_download is added after the code_extra
setting so a disclaimer can be added before the code_download link
Addition - $AUBBC::MEMOIZE This setting can turn AUBBC's usage of Memoize on or off.
Default setting 1 will check if it needs to load Memoize, if loaded then load the sub's that need the speed.
Setting 0 will not use Memoize.
Addition - AUBBC::make_link($link,$name,$javascript,$target) this is useful enough
to mention once.
Improvement - After lots of testing I have removed all /o in the regex. One main
reason is Memoize provides enough speed.
v3.13 - 09/30/2010
Addition - do_ubbc New built-in tag [list][*=1]... [*]... [/list], This will
follow XHTML or HTML Transitional element style and XHTML or HTML Strict will not
support the elements that tag [*=1] in the [list] will produce
(use the other enumerated List Block tags for XHTML or HTML Strict).
Addition - do_ubbc New built-in tag [em]Hello[/em]
Addition - New value for setting line_break 2 for old <br style. This effects script_escape.
Addition - This module now uses Memoize for a massive speed improvement.
If you thought it was fast before, I hope your sitting down when you bench this version. LOL
Addition - added setting highlight_function to replace the highlighting method
of AUBBC with a costume one.
Fixed - in do_ubbc the line breaks was invalidating HTML for List Block elements
Improvement - in do_all_ubbc changed defining $msg each time. there could have
been a bug in past versions if an undefined variable was used after a defined message was
converted. was going to allow do_all_ubbc to pass the last message but decided
other people may see that as a bug.
Improvement - in do_all_ubbc moved if $do_flag[4] for no_bypass to a better spot
Improvement - in do_all_ubbc moved if for for_links to a better spot
Improvement - changed tags left,right and center to only convert balanced tags
v3.00 - 09/14/2010
( run in 1.072 second using v1.01-cache-2.11-cpan-39bf76dae61 )